Forum Discussion
NimbostratusASM automatic learning policy
Nimbostratus
About policy building rules If you are using the automatic learning setting, the Policy Builder builds the security policy automatically in three stages. These stages each have separate sets of settings in the Policy Building Process area of the Learning and Blocking Settings screen. Rules in each stage determine when an element in the security policy moves from one stage to the next.
Loosen policy Tighten policy (stabilize) Track Site Changes The rules have different values depending on whether the traffic comes from a trusted or untrusted source. The system generally considers trusted traffic, and the policy elements it contains, to be legitimate, and adds them to the policy more quickly than it does those in untrusted traffic.
You can adjust the values for the rules by changing the Learning Speed setting. Slow learning speed causes the system to create the policy by looking at more traffic, over more time, and from more different IP addresses, so the values in the rules are higher. Fast learning speed causes the system to build the policy from fewer requests, from only one IP address, and the values you see in the rules are lower.
Advanced users can view and change the conditions under which the Policy Builder modifies the security policy during any of the three stages. Changing the values in any of the rules (to values not matching any of the default values) also changes the learning speed to the Custom policy type (instead of Fast, Medium, or Slow).
About automatic policy building stages Automatic policy building is enabled when you have Learning Mode set to Automatic. In this case, the Policy Builder builds the security policy in three stages:
Loosen Policy During this stage, the Policy Builder identifies legitimate application usage based on repeated behavior from sufficient different user sessions and IP addresses, over a period of time. The system makes learning suggestions on ways to update the security policy. Based on wildcard matches, Policy Builder suggests adding the legitimate policy entities (putting most into staging to learn their properties), and disabling violations that are probably false positives. If you are using automatic learning, the Policy Builder implements the suggestions when policy building rules are met, updates the security policy, and enforces the entities. If you are using manual learning and want to enhance the security policy, you can address each of the suggestions that the system made.
For example, when the Policy Builder sees the same file type, URL, parameter, or cookie from enough different user sessions and IP addresses over time, it then makes learning suggestions. If you are using automatic learning, over time, the Policy Builder adds the entities to the security policy. If you are using manual learning, you can accept, delete, or ignore the suggested additions to the security policy.
Tighten Policy (stabilize) Rules that tighten a security policy are applicable only when you are using automatic learning. During this stage, the Policy Builder refines the security policy elements until the number of security policy changes stabilizes. For example, the Policy Builder enforces an entity type after it records a sufficient number of unique requests and sessions, for different IP addresses, over a sufficient length of time since the last time an explicit file type, URL, or parameter was added to the security policy, or a change was made to any of its attributes.
Similarly, the Policy Builder enforces the entity (takes them out of staging) after it records a sufficient number of unique requests and sessions from different IP addresses, over a sufficient length of time for a particular file type, URL, parameter, or cookie.
When the traffic to the application no longer includes new elements, and the Policy Builder has enforced the policy elements, the security policy is considered stable.
Track Site Changes This stage occurs after the security policy is stable, and is only relevant when using automatic learning. If the Track Site Changes setting is enabled and the Policy Builder discovers changes to the web application, it logs the change (Site change detected) and temporarily loosens the security policy to make the necessary suggestions or adjustments. When the Policy Builder stabilizes the added elements, it re-tightens the security policy.
Although it is not recommended, you can disable the Track Site Changes option. If you do, the Policy Builder continues to monitor traffic and note whether the web application has changed, and if it has, makes suggestions for loosening the policy. However, the security policy is not updated unless you manually change it.
