Dell SonicWALL Secure Mobile Access 8.5
Administration Guide
cookies are transported only in HTTPS connections. Both together add a strong layer of security for the server-
side cookies.
Allow Client Cookies
– The Allow Client Cookies option is enabled by default. In Strict mode, the Allow Client
Cookies option is disabled. When disabled, client-side cookies are not allowed to be sent to the backend
systems. This option does not affect server-side cookies.
Exclusion List
– If the Exclusion List is enabled and contains a cookie, the cookie is passed as usual and is not
protected. You can exclude server-side cookies and client-side cookies.
Exclusion list items are case sensitive, and in the format ‘CookieName@CookiePath.’ Cookies with the same
name and different paths are treated as different cookies. ‘CookiePath’ can be left empty to represent any
Import Global
– Application Offloading portals can import the Global exclusion list.
How Does Application Profiling Work?
The administrator can configure application profiling on the
Web Application Firewall > Rules
Application profiling is completed independently for each portal and can profile multiple applications
After selecting the portal, you can select the type of application content that you want to profile. You can
, or
that includes all content types such as images, HTML, and CSS.
HTML/XML content is the most important from a security standpoint, because it typically covers the more
sensitive Web transactions. This content type is selected by default.
Then the SMA/SRA appliance is placed in learning mode by clicking
Begin Profiling
(the button then changes to
End Profiling
). The profiling should be done while trusted users are using applications in an appropriate way.
The Secure Mobile Access records inputs and stores them as URL profiles. The URL profiles are listed as a tree
structure on the
Web Application Firewall > Rules
page in the Application Profiling section.
Only the URLs presented as hyperlinks are accessible URLs on the backend server. You can click on the hyperlink
to edit the learned values for that URL if the values are not accurate. You can then generate rules to use the
modified URL profile.
The SMA/SRA appliance learns the following HTTP Parameters:
Response Status Code
Post Data Length – The Post Data Length is estimated by learning the value in the Content-Length header.
The maximum size is set to the power of two that is closest to and higher than this value. This
By default, the attribute Secure is always appended to an HTTP connection even if Cookie
Tampering Protection is disabled. This behavior is a configurable option, and can be turned off.