CloudGuard WAF
Search
K

Configure Contextual Machine Learning for Best Accuracy

The Contextual Machine Learning reaches a verdict more accurately when it can differentiate between users or sources of HTTP requests. CloudGuard WAF allows to configure how to identify the source of a web request, per web application or API.
Once CloudGuard WAF knows how to identify the source, you can also configure trusted sources. Understanding the behavior of multiple trusted sources helps the contextual machine learning engine to learn faster what is considered a benign or malicious request for a specific web application or API.
Configuration of the below items can accelerate the learning process and allow reaching more accurate decision by the Machine Learning Engine.
Configuring trusted sources is not a method of exclusion. It is a method to enhance the learning capabilities of the contextual machine learning. Exclusions are configured separately.

Source Identity and Trusted Sources

The instructions below can refer to configuring trusted sources during step 4 of the wizard during creation of a Web Application asset or a Web API asset.
They can also be found when browsing to Policy->Assets and editing an asset under Source Identity and Trusted Sources.

Step 1: Identify the source of the web request

The source of an HTTP web request can be identified in a number of ways. Use the below table to select the appropriate identifier for the sources of your web application.
Definition
Parameter
View
Source IP
This is the HTTP request source IP or CIDR. No additional parameters are necessary.
X-Forwarded-For Header in HTTP requests
IP address or CIDR of the trusted source is received in the X-Forwarded-For header. If you select this option, you must add the IP addresses of previous reverse proxy/ALB hops to distinguish the unique IP address of the source from them. For example:
Note - Adding the address of previous hops is required when there is more than 1 reverse proxy and/or ALB before Reverse Proxy with CloudGuard WAF installation. If there is only one, it is not required.
Header Key
If you select this option, it is necessary to add the header field name. This value is used for identification.
JWT Key
If you select this option, it is necessary to add the key within the JWT. This value is used for identification. This option is recommended.
Cookie
When you select this option, it is necessary to add the key within the cookie. This value is used for identification. A recommended key is oauth2_proxy
  1. 1.
    Go to Cloud->Assets and select the Asset you want to configure.
  2. 2.
    Select a method to distinguish the sources according to the above table.
  3. 3.
    (Optional) Add the name of field that uniquely identifies the user.

Step 2: Configure Trusted Sources

  1. 1.
    Add specific IP addresses (incase of Source IP or X-Forward-For) or specific user identifiers (incase of Header/JWT/Cookie) of trusted sources to the list
  2. 2.
    Minimum Users To Trust - You may change the default from 3 to a lower (not recommended) number or higher. If we take the example of "3", the learning mechanism will not learn about "benign" behavior from the trusted sources until at least 3 of them created similar traffic patterns. This is to avoid one source becoming a "malicious source of truth". The number of trusted sources in the table has to be at least that minimum number, to allow the machine learning engine to have a good indication of "benign behavior".
  3. 3.
    Click Publish to publish the changes to the management.
  4. 4.
    Click Enforce to deploy the changes to the enforcement points.

What's Next?

Depending on amount and variance of traffic, after some time, the machine learning engine will reach a stage where it has observed a sufficient amount of web requests to understand how the application is used. The faster this stage is reached, the faster detection is accurate and it is recommended to move to prevent mode.
Read more about how you can optimize and tune the Machine Learning process in the Track Learning and Move from Detect to Prevent section of this documentation.