For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gowenfawr's avatar
gowenfawr
Icon for Nimbostratus rankNimbostratus
Aug 14, 2012

ASM - Traffic Learning seems to be one way?

The ASM spectrum of transparent/learning/staging/blocking has been very problematic for me. It seems as if there are many hoops to jump through before traffic will be blocked, and quite often it won'...
app sec
BIG-IP Access Policy Manager (APM)
security
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Aug 16, 2012
Hi Greg,

 

 

For some policy components (file types, URLs and flows), you can ignore individual learning suggestions:

 

 

 

ASM | Policy Building | Ignored Entities

 

 

This screen displays the number of ignored security policy entities for the current edited security policy selected.

 

 

You can create an ignored entity by deleting file types, URLs, or flows from the Learning tables. The system ignores these deleted items and does not generate learning suggestions for them.

 

 

 

You cannot currently disable learning for a specific attack signature. You should be able to disable learning suggestions for all signatures in a signature set though. If you wanted to tinker a bit, you could move the attack sig(s) you never want to get learning for into a separate attack sig set with learning disabled.

 

 

The ASM config guide goes over policy building using the Learning tool:

 

 

Manual Chapter: Refining the Security Policy Using Learning

 

https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-2-0/asm_learning.html

 

 

Aaron