ASM; Change of "Ignore Value" param with event description: Fallback to default parameter type

Question

Hello everybody!&nbsp;
I have encountered a problem and need help!
I have created a policy and activated its "real traffic learning". Through trusted traffic, it recognized some parameters of "Ignore Value" type and some of other types. After 8 days (1 day more than "enforcement readiness period") and before deactivating "real traffic learning" (I had to do that), I edited some of other parameter, and I observed that the policy builder changed all of "Ignore values" parameters to "user input with length of 10" one by one. Description of these events are logged as "Parameter Type was set to User input value. Fallback to default parameter type".&nbsp;
could any one help me with: &nbsp;
1- Firstly, why some of parameters got type of "Ignore value"?&nbsp;
2- Why "Ignore values" parameters should be changed in this scenario? And why these changes are made one day after "enforcement readiness period"? How this scenario could be explained? Generally, does policy builder change parameters after "enforcement readiness period"?&nbsp;
3- And, the event description says "... Fallback to default parameter type", Where the type "user input with length of 10" is defined as default? Can I edit this setting of default value?&nbsp;
thanks a lot!&nbsp;

romani_2788 · Answer

Very likely, these Parameters are created with Ignore value because Policy builder is set to identify Content Profiles and it automatically detects advanced protocols, and will be taken out of this status once the type is identified, which is why you saw it change to 'user input' after it has detected the input type. 
The length of 10 simply indicates that Policy Builder never found an input of more than 10 characters (or maybe slightly less), and therefore doesn't deem it necessary to give this parameter more than that size input in securing it.&nbsp;

nazaktabar_3358 · Answer

Hi! 
Thanks a lot dear Romani of your response. I am sorry it is still obscure for me...&nbsp;
The senario was: I could not have traffic in my trusted zone any more and my parameter was not detected enough accurate. So, Before {enforcing and disabling Policy builder and sending the policy to operation}, I started to editing some of "user input" parameters one day after "enforcement readiness period", and then I saw that Policy builder have started to changing of "ignore value" parameters.&nbsp;
Having no traffic, how Policy builder could identify the type of "ignore value"s?&nbsp;

Forum Discussion

ASM; Change of "Ignore Value" param with event description: Fallback to default parameter type

2 Replies

Welcome! a la Communidad DevCentral LATAM de F5!

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

Recent Discussions

iRules

Is there a way to export BigIP Analytics http captured transactions?

F5 is not providing any console/Web Access.Software is corrupted. How to clean install its firmware?

About perpetual license expiry In WAF

How to get group name CN from session.ad.last.attr.memberOf when there are multiple attribute value

Related Content

Icontrol REST upload and apply policy- section "http-protocols" ignored?

"Ignore value" parameter type

exclude HTTP::header value Content-Type] equals "text/xml; charset=utf-8" from SSL redirect

Extracting dynamic parameter values from a "Jason" formatted response.

ASM stripping double quotes from cookie values post v14?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS