Skip to content

Analysis & Learning

About

When you access the WAF management screen of the relevant vService and click the Analysis & Learning button, an analysis of the requests logged in the background during the time when WAF is in Learning Mode is conducted. With the obtained logs, a site map of the service is created, and path-based rules are created in the Rule Management tab of WAF's Advanced Settings based on the selected rule. Only the paths that you want to create rules for are kept in the analysis screen. All paths that are considered harmful or known not to exist in the service are removed from the analysis. This way, requests to the service are only allowed for the permitted paths.

LOGO

Interface

1- Analysis Listing Screen

LOGO

Analysis Listing Form

- Detail

Access the list of previously made analyses belonging to the relevant Virtual Host Group. For details click here.

Interface

2- Analysis & Learning

Used to start a new analysis for the relevant Virtual Host Group.

LOGO

New Analyze Form (1)

LOGO
New Analyze Form (2)

- Analyze Type

Select the analysis type.

In manual analysis, all paths in the site map are manually reviewed. Dynamic directories are applied, and paths to be removed from the analysis are identified.

- vService

Displays the name of the vService to be analysed.

- Virtual Host Groups

Displays information about the relevant Virtual Host Group where the analysis will be initiated.

- Analyze Date

Select the time interval for the analysis.

- Source

Selects which of the TR7 ASP devices in the cluster structure will perform the analysis. This tab is not visible when performing analysis on TR7 ASP devices that are not defined as clusters.

- Ignore Old Rules

Select the analysis policy.

If rules are to be created, they will overwrite existing rules if rules have already been created.

Once the analysis process is completed, the rules to be created are combined with the existing rules, if any rules have been created before.

- Rule Creating Mode

  • Page Independent > If there is not much detailed information about the service where WAF is to be enabled, such as path, request methods, variable structures, etc., for such services, the page-independent mode is used. Basic protection is provided mainly based on OWASP. Learning is performed without path-based learning before learning from the default rule.
  • Data-Based > In Data-Based mode, GET and HEAD HTTP methods are allowed in the default rule. Methods that require data transmission, such as POST, are not allowed. When analysis is performed with data-based mode, if data is sent via a POST request, if there is a parameter in the query, if there is data in the raw body, if data such as XML or JSON is sent from the user to the server, all these data are learned one by one. Requests can be made to the relevant paths within the framework of the learned rules. When a request is made to an unlearned path, such as "photo.jpeg," it falls back to the default rule. In the default rule, only GET requests are allowed to "photo.jpeg." However, if "photo.jpeg" is requested with query parameters, it is not learned, so the request is blocked by the WAF.
  • Comprehensive > In Comprehensive mode, all HTTP methods are accepted without permission. Therefore, unless we define a new path on the default rules, all requests made are blocked by WAF. When analysis is performed with comprehensive mode, each path is learned one by one, and rules suitable for these paths are created. Thus, when a request is made to an unlearned path, these requests are blocked by WAF.

- Country Filter

Selects which countries requests will be analyzed based on the selected filtering process.

LOGO

There is no filtering of the countries of incoming requests. All requests are included in the analysis.

Countries selected from the table are included in the analysis.

All Countries other than the information selected from the table are included in the analysis.

- Only Domains

Requests that comply with host header standards are included in the analysis.

- Only Browsers

Only requests made through browsers are included in the analysis. The User-Agent header is checked.

- Skip Blacklist IPs

Requests from Blacklist IP addresses defined in the IP Intelligence tab are not included in the analysis.

- Status Code Filter

Selects how the requests to be analyzed will be filtered according to the status code returned from the server. Since the aim of analyzing the traffic is to create a site map and analyze normal requests that are not harmful, it is recommended to filter based on 1xx, 2xx, and 3xx status codes.

There is no filtering based on the status codes of incoming requests. All requests are included in the analysis.

Status codes selected from the table are included in the analysis.

All status codes other than the information selected from the table are included in the analysis.

- Bot Filter

Requests are included in the analysis based on the User-Agent header by checking for bot requests. You can check the Bot Type condition for more details Bot Type

There is no filtering based on bot control in incoming requests. All requests are included in the analysis.

Bot types selected from the table are included in the analysis.

All different (non-bot) User-Agent header information other than the information selected from the table is included in the analysis.

- Source IP Filter

Based on the selected filtering process, it is determined which requests will be included or excluded from the analysis by checking the Source IP addresses.

LOGO

There is no filtering based on the Source IP address in incoming requests. All requests are included in the analysis.

Entered Source IP addresses are included in the analysis.

Source IP addresses (all) other than the entered information are included in the analysis.

- Host Filter

Based on the selected filtering process, requests to be included or excluded from the analysis are determined by checking the Host header information. For example, if you want only requests with the domain information www.tr7.com to be included in the analysis, you can configure it as shown below.

LOGO

There is no filtering based on the Host header information in incoming requests. All requests are included in the analysis.

The entered Host header information is included in the analysis.

Host header information (all) other than the entered information is included in the analysis.

- Start Analyzing

Clicking the Start Analyzing button initiates the analysis based on the selected filtering processes.

Interface

Analysis Details

1- Starting and Monitoring Analysis

- Monitoring

After the analysis is started, progress can be monitored in percentage (%) in real-time. Clicking on the bar that appears allows you to check detailed information such as the filters applied during startup, remaining analysis time, and more. Depending on the selected filters, there may be changes in the appearance on the screen during the analysis.

LOGO

- Analysis Completion

After the analysis is completed, a New button, as shown in the visual below, is displayed on the interface. By clicking on it, the operations described below can be performed. Depending on the selected filters, there may be changes in appearance on the screen during the analysis.

LOGO

- Edit

The rules to be created by opening the analysis screen (site map) are checked.

- Delete

The analysis performed is deleted from TR7 ASP.

- Apply

Rules for requests from the analysis process are created.

- Ignore

The analysis performed is ignored from the interface. By clicking on the home icon, ignored and previous analyses can be viewed.

Interface

2- Analysis Screen

LOGO

Analysis Screen Form

- 1 (Reset)

Reverts the changes made.

- 2 (Undo)

Reverses the change made.

- 3 (Redo)

Reapplies the change made.

- 4 (Collapse)

Collapse all paths listed on the analysis screen along with their depths.

- 5 (Select Globs)

With the Select Glob button, similar requests are suggested as glob paths by performing the desired filtering operations using the AI-based WAF engine.

LOGO

LOGO

Glob path rules are created by selecting the desired paths in the selected globs using the Apply Selected Globs button.

LOGO

- 6 (Advanced Settings)

LOGO

- Excluded Paths

Directories removed from the analysis are displayed here. They can also be entered manually.

- Dynamic Paths

In cases where only .js files are requested on a path under analysis, for example, Dynamic [Directory] can be used. Thus, all .js* extension requests to the relevant path are subject to the same rules.

LOGO

- Dynamic Path Exclusions

Directories marked as Exclude from Groupings are displayed here. Requests that should not be included in dynamic directories can also be entered manually.

- Filter

Operations such as Request Limit, Visitor Limit, IP Limit, Country Limit, and Path-Based Log Limitation can be performed.

- 7 (Apply)

The changes made are applied to create rules.

- 8 (Info)

Details of the analysis conducted can be viewed. Depending on the selected filters, there may be changes in appearance on the screen during the analysis.

LOGO

- 9 (Default Order)

Used to sort paths.

LOGO

- 10 (Dynamic [Path] (*))

Dynamic [Directory*] is used to apply the same rules to requests at the same depth using glob on a path under analysis.

- 11 (Dynamic [Everything] (**))

Dynamic [Everything]** is used to apply the same rules to any request to the relevant path without considering depths.

- 12 (Exclude from Analysis)

Used to remove unwanted (considered harmful) or non-existent paths from the analysis by selecting them.

- 13 (Add to Dynamic Path Exlusions)

Used for requests for which inclusion in the dynamic directory is not desired. Rules for the selected requests are created separately.

- 14 (Delete)

Used to Delete from paths that have been selected as Dynamic Directory.

- 15 (Page Navigation)

Arrow keys are used for navigation between pages.

- 16 (General Information)

Detailed information about the requests made to the selected paths or files is displayed.