Forum Discussion

davidfisher's avatar
Oct 04, 2022

ASM policy building - automatic or manual?

I'm thinking something like such

  • start with the rapid deployment template.

  • set learning mode to automatic

  • add some trusted IPs if possible

  • enable attack signature recommendation tool

  • and done in 7 days. .

However, a major issue is many people/customers don't like the automatic building and want it to be done manually.

People don't seem to trust the idea of automatic policy building and feel its going to be "less secure" - do you face this issue?

How do you work around this?

Should I increase the loosen policy settings to make it require more sources to accept the traffic? Maybe 30 sources instead of 20?

The source here only considers the source IP right?

  • Hello David,

    In my opinion, choosing automatic or manual depends on who is accessing the service during the learning phase.

    If the policy is created and is accessible only from the trusted IPs which are the QA team or developers and not published yet to any external use, so I think you can safely change the learning mode to automatic but also keep monitoring the accepted suggestions. Also, you can increase the staging period for more stability.

    But if during the learning phase, there are also requests that are coming from external users, I don't think it is safe to make the learning automatically even if you have added a trusted subnet.

    Regarding the "Loosen Policy" settings, the answer is yes. Here is the description:

    Loosen Policy: "Specifies the number of sources spread over a time period that must pass in order for the Policy Builder to accept and learn a policy change from traffic."

    BR,

    Mohamed Salah

     

    • davidfisher's avatar
      davidfisher
      Icon for Cirrus rankCirrus

      Hi Mohammed..this is exactly what I was trying to ask..

      I feel what you said is a misconception.
      Even if the application is public it doesn't mean asm just blindly accepts everything..

      It uses statiscal analysis so even if an attack is sent in it won't be learned unless it meets the traffic threshold which is very difficult to meet with just one type of attack traffic.. As it has to be spread across time..

       

       

      • Mohamed_Salah_'s avatar
        Mohamed_Salah_
        Icon for MVP rankMVP

        Hello David,

        For this topic, it depends on the organization's restrictions. I started my comment with "in my opinion" and it is based on different customers' requirements. It is just an opinion :D, I think there might be more than one approach to be valid.

        As per the below article, it is mentioned  that "When you use automatic learning mode, it’s tempting to delegate ongoing maintenance of your security policy to Policy Builder, but there is a risk that it may incorrectly interpret and block genuine traffic. Therefore, you should monitor the suggestions it makes for any corrections. This process is a great way to start using and learning about your WAF"

        Reference: https://support.f5.com/csp/article/K07359270

        So if the policy is in automatic learning mode, it doesn't mean you can safely ignore and accepted suggestions and leave it working by itself, because it might make an issue or accept wrong suggestions. only in the QA environment and for internal use only, I think you can safely leave it in the automatic learning mode. Else, if there are external requests from external users, I think you shouldn't leave it in the automatic mode, or if you selected this option, you should track and keep checking the accepted suggestions.

        BR,

        Mohamed Salah.