Forum Discussion
davidfisher
Cirrus
CirrusASM policy building - automatic or manual?
I'm thinking something like such start with the rapid deployment template. set learning mode to automatic add some trusted IPs if possible enable attack signature recommendation tool a...
Hello David,
In my opinion, choosing automatic or manual depends on who is accessing the service during the learning phase.
If the policy is created and is accessible only from the trusted IPs which are the QA team or developers and not published yet to any external use, so I think you can safely change the learning mode to automatic but also keep monitoring the accepted suggestions. Also, you can increase the staging period for more stability.
But if during the learning phase, there are also requests that are coming from external users, I don't think it is safe to make the learning automatically even if you have added a trusted subnet.
Regarding the "Loosen Policy" settings, the answer is yes. Here is the description:
Loosen Policy: "Specifies the number of sources spread over a time period that must pass in order for the Policy Builder to accept and learn a policy change from traffic."
BR,
Mohamed Salah
davidfisherHi Mohammed..this is exactly what I was trying to ask..
I feel what you said is a misconception.
Even if the application is public it doesn't mean asm just blindly accepts everything..It uses statiscal analysis so even if an attack is sent in it won't be learned unless it meets the traffic threshold which is very difficult to meet with just one type of attack traffic.. As it has to be spread across time..
Hello David,
For this topic, it depends on the organization's restrictions. I started my comment with "in my opinion" and it is based on different customers' requirements. It is just an opinion :D, I think there might be more than one approach to be valid.
As per the below article, it is mentioned that "When you use automatic learning mode, it’s tempting to delegate ongoing maintenance of your security policy to Policy Builder, but there is a risk that it may incorrectly interpret and block genuine traffic. Therefore, you should monitor the suggestions it makes for any corrections. This process is a great way to start using and learning about your WAF"
Reference: https://support.f5.com/csp/article/K07359270
So if the policy is in automatic learning mode, it doesn't mean you can safely ignore and accepted suggestions and leave it working by itself, because it might make an issue or accept wrong suggestions. only in the QA environment and for internal use only, I think you can safely leave it in the automatic learning mode. Else, if there are external requests from external users, I think you shouldn't leave it in the automatic mode, or if you selected this option, you should track and keep checking the accepted suggestions.
BR,
Mohamed Salah.
- davidfisher
yes i got it. .
automatic also seems to enable settings and disable policy settings along with just accepting entities. .with manually I have seen people only focus on the entities and much less on the policy tightening and loosening suggestions though..
i think best would be if they could do just entity learning automatically while disabling the policy tightening part..