Hi josh,
I contacted with F5 support to clarify this issue.
Actually I'm using version 10.2.1 which have some incorrect label for Latency Options. it is fixed in some hotfix.
Latency Based first trigger detection criteria then check for suspicious criteria as the follow:
1. ASM detect increase of latency as you set in your configuration (ms and percentage)
2. When latency has reached as you set in your policy ASM consider this as start of attack.
3. Next step ASM will check for suspicious criteria (TPS options).
4. If both detection and suspicious criteria is occur ASM will do block action if you set your policy to blocking mode.
5. When latency back as normal ASM will define this as end of attack (this as I understand not as they told me).
Regarding this question:
- If one of "Suspicious Criteria" detected and not select any of "Prevention Policy" options ASM just alert and not block any request.
The answer is yes.
Thank you for your reply.
Sorry for being late, but I preferred to be sure be submit my conclusion.