Forum Discussion

ghost-rider_124's avatar
ghost-rider_124
Icon for Nimbostratus rankNimbostratus
Jun 24, 2014

ASM learning in transparent questions

Hello Experts

 

I have configured ASM to learn manually that is enable tightening on wildcard (URL, parameters and file types)

 

1- If tightening enable on wildcard parameter, url and file types then in order to get the learning suggestion for url, parameters and file types, is it must we to enable learning in violations (illegal file type, illegal url, illegal parameter) as well

 

2- If staging not enable on learned parameter, url and file types (learned through wildcard) then we will not get the learning suggestion in violation? (like illegal meta character in value or URL etc)

 

3- In transparent mode, I am getting violations on valid traffic, should I accept all?

 

4- In transparent mode, I am getting 500+ illegal parameters in violation, should I accept all of them? How to deal with large no of learning suggestions for parameters

 

Regards,

 

GR

 

    • What controls learning is the learn flag on the blocking settings page.
    • What controls violations is the alarm settings on the blocking settings page.
    • What controls blocking is the blocking setting on the blocking settings page.

    Given the above, when there is no policy object that permits the access;

     

    • Learning suggestions are reported in manual traffic learning page when the learn setting is set for that violation.
    • Violations are reported in logs when the alarm setting is set for that violation.
    • Violations are reported when the blocking setting is set for that violation and the policy is in transparent mode.
    • Blocking is reported when the blocking setting is set for that violation and the policy is in blocking mode.

    Staged entities are policy objects that are not enforceable until they are taken out of staging. Policy objects not in staging are enforceable. For signatures this means they will block malicious behaviour. For policy objects that means they will permit the access specified by the object.

     

    1. You must have learning ticked on the blocking settings page to get those suggestions.
    2. See 1.
    3. Depends on the violation
    4. Why are you not using automatic policy builder as recommended?
    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Thanks Kevin. - For point 2, Its must to enable staging as well on learned parameters, url, file type along with enabling learning under violations to get learning suggesting? - For point 4, As I know from F5 training, it is good to build ASM policy manually, if we do not know the application well. In this case how to handle such large number of parameters
    • For point 2, Its must to enable staging as well ...

    No. Staging has nothing to so with triggering learning suggestions.

     

    • For point 4, As I know from F5 training

    Since I deliver F5 training - It is good to build policy manually to learn the product and understand its capabilities but for large policies it is cumbersome and unwieldy. It is common practice to use automatic policy building to create policy. You use trusted sources to generate the traffic such as the development team testing the application. You can use untrusted sources to add new policy objects with volume usage. I tend to use the first.

     

  • Hi Kevin

     

    Thanks for the reply. Sorry my ignorance but point 2, still not sure staging and violations learning has some relation? Also tightening and violations learning (specially learn illegal url, illegal parameter, illegal file type) are the same thing?

     

    • What controls learning is the learn flag on the blocking settings page.
    • What controls violations is the alarm settings on the blocking settings page.
    • What controls blocking is the blocking setting on the blocking settings page.

    Given the above, when there is no policy object that permits the access;

     

    • Learning suggestions are reported in manual traffic learning page when the learn setting is set for that violation.
    • Violations are reported in logs when the alarm setting is set for that violation.
    • Violations are reported when the blocking setting is set for that violation and the policy is in transparent mode.
    • Blocking is reported when the blocking setting is set for that violation and the policy is in blocking mode.

    Staged entities are policy objects that are not enforceable until they are taken out of staging. Policy objects not in staging are enforceable. For signatures this means they will block malicious behaviour. For policy objects that means they will permit the access specified by the object.

     

    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Great Explanation! So: 1- Learning suggestions are independent of violations reported (in transparent mode)? If learn setting are set for violation then I will get learning suggestion regardless of blocking settings are set or not for that violation (in transparent mode) 2- Provided that learning settings are set and blocking settings are set for a violation and I will accept all learning suggestion then I should not get any violation any more for that violation? 3- So we put policy objects in staging, if we do not want to enforce them? or the purpose of staging is to learn attributes of that object? Appreciated your reply
    • Kevin_Davies_40's avatar
      Kevin_Davies_40
      Icon for Nacreous rankNacreous
      1. Violations and there reporting or not are controlled by a number of factors. Learning suggestions are controlled by one, the Learn setting on the blocking response page. There is no learn setting for "violation" and that sentence confuses the two so avoid using it. Learning suggestions appear when there are no policy objects to allow the traffic. 2. That is the idea. 3. When in automatic policy builder mode staging is used to create objects and stabilise them. When there have been no changes on that object for the staging period then it will recommend they are enforced. It is also used for new and updated signatures. Because you would not want them to go active until you can verify there are no false positives.