Adaptive Learning for WAF
Overview
Application learning is enabling WAF feature on Avi Vantage to analyze a set of incoming traffic processed by the WAF Policy.
When the Application Learning is enabled on a virtual service, which is hosted on a Service Engine, the Service Engine continuously analyzes the incoming traffic. The traffic selection for Application Learning is based on the WAF policy and WAF profiles configured.
It parses all paths containing URI or BODY parameters of an HTTP request. This collection continues during a specified duration or time interval. Once the timer is hit, the Service Engine sends the data to the Avi Controller for analysis. For the efficient Application Learning, the fine-tuning of many configuration parameters is necessary.
These WAF configuration parameters are distributed across WAF profiles and WAF policies. All these configuration parameters need tuning for the effective WAF app learning and optimizing SE and Avi Controller’s resources.
Starting with Avi Vantage release 20.1.1, Adaptive Application Learning is supported. In Adaptive Application Learning, SEs take control of adjusting these WAF parameters for the effective Application Learning.
Adaptive Application Learning
In the Adaptive Application Learning, the continuous modification of sampling percentage and learning interval is not required. Based on the resource available on the Service Engine, SEs decide the value of Sampling Percentage and the Learning Interval. These values are continuously adjusted as per the available resources on the SE, which in turn is used to process the WAF traffic. The following sections have more details on the Sampling Percentage and the Learning Interval.
To improve user experience and optimize resource usage while maximizing the application learning progress, a feedback system is created that tunes these parameters once learning is enabled on application. This empowers end-user to enable Positive Security Model (PSM) with Application Learning using minimum configuration changes.
For effective Adaptive Application Learning, the followings parameters are continuously adjusted by SEs:
- Sampling Percentage
- Learning Interval
Prior to Avi Vantage release 20.1.1, the parameters mentioned above require manual intervention as these were not adjusted automatically. For more information and recommendation on these parameters, refer to the below sections.
Sampling Percentage
For a WAF policy, sampling is assigning a percentage of the incoming requests to participate in the Application Learning process.
The sampling rate controls the frequency of the Service Engine analyzing requests.
If the value of sampling frequency is set to 50%, the Service Engine will only examine 50% of the incoming request or every alternate request.
It is recommended to use the sampling percentage as 100% in the initial phase of Application Learning. This helps in collecting the fastest data aggregation, and efficient application learning.
Using the sampling percentage, SE resources usage can be minimized when the Application Learning progresses. When the Application Learning is completed, the URI information is sent to Avi Controller tend to peak or fall. The Avi Controller sends the adjusted sampling percent (reduced) to the SEs. After the sampling, The SEs have to inspect or evaluate only a small percentage of the incoming traffic, thus maximizing SE’s performance.
Currently, the max sampling percent for the application learning is set to 100%, the minimum percentage can be set as 1%.
To disable this feature, use the configuration knob enable_adaptive_config
available under the analytics profile.
By default, the value of the enable_adaptive_config
parameter is set to true.
In the Adaptive Application Learning, when the new type of traffic is received by SEs, the Avi Controller notifies the Service Engines to increase the sampling percentage.
The option to set Sampling Percentage is available under the App Learning tab of WAF policy.
To change the sampling percentage for the incoming request for a WAF policy, navigate to Template > WAF > WAF Policy > App Learning, as shown below. The value for this parameter can be set to any value between 1 and 100.
The sampling percentage varies based on the nature of traffic, and the learning statistics analyzed by Service Engine.
Learning Interval
Learning interval is the time period or duration, after which the Service Engine sends data related to Application Learning to the Avi Controller. By default, this duration is set to 30 minutes. This means that the Service Engines sends data to Avi Controller every half an hour for further processing.
This configuration parameter controls how often SEs send the URIs to the Avi Controller. Based on the learning activities or the amount of Application Learning data, the value of this parameter can be increased or decreased.
If the sampling percentage reaches the lowest, for instance, 1%, then the Learning Interval should be set to a higher value for instance, every 3 minutes.