For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mm_pen_242283's avatar
mm_pen_242283
Icon for Nimbostratus rankNimbostratus
Oct 22, 2016

ASM - stopping induvidual learning sugestions

Hi experts.

 

I noticed that even after the policy has been declared stable (turned into BLOCKING mode by admin), those blocked violations (seen in Event logs) are still being shown (with corresponding hits) in the Manual Traffic Learning section. What is the need for that behavior (since this violation is already confirmed as obvious > enforced) and how can one disable Learning for that specific signature.

 

Under Attack Signatures Configuration there is no option available for disabling "Learn" on particular signature only. Can this setting only be applied to set of signatures (e.g. Generic...).

 

To make the long story short; how do you stop individual violations showing in Manual Traffic Learning?

 

Thank you for your answers!

 

ASM Advanced WAF
security

1 Reply

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Oct 22, 2016

    mm_pen,

     

    All violations have a blocking mask setting of Learn Alarm and Block. You can disable any of these to prevent them occuring for a violation. However, for top level violations, such as attack signature detected, it is one setting for all.

     

    That being said if you've allowed a signature, or any other violation, in the policy then it should neither block nor learn. That bit doesn't make sense as you state the violation is allowed but you are still getting blocked.

     

    N