Forum Discussion

ghost-rider_124's avatar
ghost-rider_124
Icon for Nimbostratus rankNimbostratus
Jun 08, 2016

ASM Manual Learning Clarification

Hello

 

I enabled manual learning for web application (transparent mode). I enabled learning on illegal file, illegal parameter and illegal URL types in block settings. So I should get the learning suggestion for files, parameters and URL.

 

My question is that to get learning suggestions for url, file types, parameters, is it mandatory to create wildcard for file types, URL and parameters as well OR just enabling learning suggestion is fine?

 

  • Hi,

     

    You have 3 level of learning. And in any case you need the wildcard to be present in each entity of the security policy. You can remove the wildcard once you finished building your security policy.

     

  • Hi,

     

    You have 3 level of learning. And in any case you need the wildcard to be present in each entity of the security policy. You can remove the wildcard once you finished building your security policy.

     

    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      I mean, If I do not create wildcard entity then it will not give me learning suggestion?
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      If you are talking about the manual learning of entities, so yes you need the wildcard to be present on each entity. It's a feature to discover new urls, parameters, file types, etc.
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      It's not the same as enforcement readiness that fine tune suggestions for signatures, lengths, etc.
  • Hi,

     

    You have 3 level of learning. And in any case you need the wildcard to be present in each entity of the security policy. You can remove the wildcard once you finished building your security policy.

     

    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      I mean, If I do not create wildcard entity then it will not give me learning suggestion?
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      If you are talking about the manual learning of entities, so yes you need the wildcard to be present on each entity. It's a feature to discover new urls, parameters, file types, etc.
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      It's not the same as enforcement readiness that fine tune suggestions for signatures, lengths, etc.
  • Hi,

    for each entity type, you can define those 3 levels (extract from kb) :

    Never (wildcard only)   Specifies that when false positives occur, the system suggests relaxing the settings of the wildcard.
    
    Selective   Applies only to * wildcard entity. 
    
    Add All Entities    Creates a comprehensive whitelist policy that includes all web site entities. This option results in a large, more granular configuration with stricter security. If Policy Builder is running, it adds explicit entities that match a wildcard to the security policy. When the security policy is stable, the * wildcard is removed. If Policy Builder is not running, the system suggests adding explicit entities that match the wildcard.