Forum Discussion
NimbostratusASM automatic learning policy
NimbostratusIn making policy for WAF you will ask if "trasparent or blocking mode". In trasparent mode the policy will try to digest and analyze the traffic in a period of one week or more. As soon as the policy is mature enough you can enforce it. Yes, there are a lot of false positive and you can tune up later on by having support ID (Blocking mode) and allowed specific request.
In the policy building you have two tabs, "Traffic Learning" and "Learning & Blocking Settings". In Traffic Learning, there are accept suggestion, delete suggestion and ignore suggestion. If those parameters or request are valid you can accept or do other suggestions. It is better to put your policy in transparent mode to learn more about your specific applications. While in Learning & Blocking Settings you have general settings which are Enforcement, learning, Auto-Apply and learning speed. This is how your policy deal with your application. I think your policy is in blocking mode (Enforcement) and if you didn't define your policy building properly you will have a lot of calls from application owner. The rest of the settings are defaults but you may change it.
It is better to sit with application owner during blocking mode and test the application and this task is tedious and need a lot of patience.
