This article describes how to use the learning engine in the Application Firewall module on a NetScaler software to generate rules.

Requirements

To use the learning engine, the Application Firewall must be configured to examine the required web application, and learning must be enabled for the protection types for which you want to generate rules.

Background

The learning engine on the Application Firewall module builds a database from all the data passing through it and when instructed from the GUI or the command line interface, the learning engine generates recommendations based on the settings entered. You then have the option of deploying the recommendation, modifying the recommendation before deploying, or skipping the recommendation. Rules do not take affect until they are deployed.

Instructions

To configure learning parameters on the Application Firewall, complete the following steps:

1. Select the Learning tab on the required Application Firewall profile.

2. Select the protection type on which you want to work.
   Note: For demonstration purposes, Start URLs is used.

3. You can configure Minimum # of sessions for Learning and % of sessions URL has been seen. The default is 10 for both options in earlier version of NetScaler software release, but is changed to 1 and 0, respectively, starting with NetScaler software release 9.3. If the Application Firewall is deployed in an environment where it has seen large amounts of traffic, then you can tune these numbers higher so that URLs with relatively few hits do not show up in the recommendation. After the high volume URLs are deployed as rules, these numbers can be lowered so that the URLs having fewer hits also have recommendations generated for them. If you do not see any recommendations when changing these options to higher numbers, gradually lower them. The lowest setting possible is 1 for minimum sessions and 0 for % sessions. The lowest setting is appropriate if learning was enabled so a walk-through of the application is done, where all the links are accessed, for the purpose of creating a rule set.

4. Click Manage rules and a new screen appears. This screen should list the recommendations after they are generated. The Simple tab shows all the URLs that are accessed individually, and the options to Deploy, Edit then deploy, and Skip.

5. On the Generalize tab, you have the option to enter the number of expressions to generate. When you select Generalize, the learning engine generates recommendations using regular expressions. The number of expressions generated is limited by the number that was entered. Change the number to a higher value if the rules look too generalized. Click Deploy to enforce the rule, or Edit and deploy to modify it before implementing it.
   Note: From NetScaler 10.1 the Generalize tab is replaced by Visualizer.