F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

jay_41195's avatar
jay_41195
Icon for Nimbostratus rankNimbostratus
Apr 09, 2018

ASM automatic learning policy

Hi   I am building a security policy via Automatic learning and have a few questions as the documentation confuses me.   In traffic learning there is a list of suggestions as per screenshot, f...
application delivery
ASM Advanced WAF
security
Albert_59847's avatar
Albert_59847
Icon for Nimbostratus rankNimbostratus
Apr 10, 2018

In making policy for WAF you will ask if "trasparent or blocking mode". In trasparent mode the policy will try to digest and analyze the traffic in a period of one week or more. As soon as the policy is mature enough you can enforce it. Yes, there are a lot of false positive and you can tune up later on by having support ID (Blocking mode) and allowed specific request.

 

In the policy building you have two tabs, "Traffic Learning" and "Learning & Blocking Settings". In Traffic Learning, there are accept suggestion, delete suggestion and ignore suggestion. If those parameters or request are valid you can accept or do other suggestions. It is better to put your policy in transparent mode to learn more about your specific applications. While in Learning & Blocking Settings you have general settings which are Enforcement, learning, Auto-Apply and learning speed. This is how your policy deal with your application. I think your policy is in blocking mode (Enforcement) and if you didn't define your policy building properly you will have a lot of calls from application owner. The rest of the settings are defaults but you may change it.

 

It is better to sit with application owner during blocking mode and test the application and this task is tedious and need a lot of patience.