Forum Discussion
CirrusASM Not Automatic learning URL, File Type and Paramater.
Hi all
We are deploying ASM module for us Customer. We have create one policy Application Security Policy mode: learning Automatic.
After we have change setting with URL, File Type and Parameter mode: Always. Then we have login to web and try all function for web. But when show learned URL, File Type and Parameter, we not see any it.
Please help us.
Thanks you so much
Attach us picture at here.
- Lidev
Nacreous
Hello
Is the policy F5-WAF-INTERNET-Policy properly associated with the Virtual Server ?
if you modify the Virtual Server log profile to Log All requests, you see the requests analyzed by ASM (Security ›› Event Logs : Application : Request) ?
Regards
Hoang_HungThanks
Is the policy F5-WAF-INTERNET-Policy properly associated with the Virtual Server ? ==> Yep, we have asssociated with Virtual Server.
if you modify the Virtual Server log profile to Log All requests, you see the requests analyzed by ASM (Security ›› Event Logs : Application : Request) ? ==> We have see many request.
But when show learned URL, File Type and Parameter, we not see any it.
example : picture 5, 6, 7
- Lidev
it's weird, no error messages in var/log/asm ? or in var/log/ts/learning_manager.log (only 11x version)
Have you try to restart the BIG-IP ASM process ?
Ivan_ChernenkiiEmployee
Hello Hoang,
What version of BIG-IP do you use?
What configuration of "Policy Building Process" on "Security ›› Application Security : Policy Building : Learning and Blocking Settings" do you have?
By default we have some thresholds for learning like e.g. we need to get the same new parameter from 20 different source IPs during specific time period (each new IP during new hour)
If you want to add all entities by yourself automatically via learning, then for this period (DO NOT forget to disable it in production), you need to set "Trusted IP Addresses" to "All IP Addresses" in "Policy Building Process" - in such case entities will be automatically added for each request.
You can find status of learning process on "Security ›› Application Security : Policy Building : Traffic Learning" page.
Thanks, Ivan
- Hoang_Hung
Thanks Ivan Chernenkii
Thanks you for respone.
We have see some request in Traffic learning but it not enough. 100%.
How do you do reduce for traffic learnning ==> 100% fast.
Thanks Ivan
- Ivan_Chernenkii
Hello Hoang,
As I see, you use default configuration for "Policy Building Process"
Do you use learning in lab (specifically generated 100% correct traffic) or with real traffic?
If in lab, then just set set "Trusted IP Addresses" to "All IP Addresses" in "Policy Building Process" and it will get 100% after one request
If you use it with real traffic, then I would suggest to wait until you will get 100% with current configuration. It goes slow because you don't have enough untrusted sources (different Client IPs). If you will modify configuration of "Policy Building Process" during real traffic, then incorrect entities can be learned from attacker or bot traffic.
But in general, score is counted in this way - by default we should get request with appropriate entity from 20 different sources (Client IPs) and each new IP is added minimum after 1 hour when previous IP was added. So, currently you have 6 untrusted IPs - 100%/20*6=30%. So, to make it fast you need to reduce number of untrusted source in configuration OR reduce time between adding new source.
Thanks, Ivan
