Forum Discussion

Cirrus

Oct 04, 2022

ASM policy building - automatic or manual?

I'm thinking something like such start with the rapid deployment template. set learning mode to automatic add some trusted IPs if possible enable attack signature recommendation tool a...

Cirrus

Oct 04, 2022

Hi Mohammed..this is exactly what I was trying to ask..

I feel what you said is a misconception.
Even if the application is public it doesn't mean asm just blindly accepts everything..

It uses statiscal analysis so even if an attack is sent in it won't be learned unless it meets the traffic threshold which is very difficult to meet with just one type of attack traffic.. As it has to be spread across time..

Mohamed_Salah_

MVP

Oct 05, 2022

Hello David,

For this topic, it depends on the organization's restrictions. I started my comment with "in my opinion" and it is based on different customers' requirements. It is just an opinion :D, I think there might be more than one approach to be valid.

As per the below article, it is mentioned that "When you use automatic learning mode, it’s tempting to delegate ongoing maintenance of your security policy to Policy Builder, but there is a risk that it may incorrectly interpret and block genuine traffic. Therefore, you should monitor the suggestions it makes for any corrections. This process is a great way to start using and learning about your WAF"

Reference: https://support.f5.com/csp/article/K07359270

So if the policy is in automatic learning mode, it doesn't mean you can safely ignore and accepted suggestions and leave it working by itself, because it might make an issue or accept wrong suggestions. only in the QA environment and for internal use only, I think you can safely leave it in the automatic learning mode. Else, if there are external requests from external users, I think you shouldn't leave it in the automatic mode, or if you selected this option, you should track and keep checking the accepted suggestions.

BR,

Mohamed Salah.

davidfisher
Cirrus
Oct 07, 2022
yes i got it. .
automatic also seems to enable settings and disable policy settings along with just accepting entities. .with manually I have seen people only focus on the entities and much less on the policy tightening and loosening suggestions though..
i think best would be if they could do just entity learning automatically while disabling the policy tightening part..
- Mohamed_Salah_
  MVP
  Oct 08, 2022
  HelloDavid,
  This might be a valid approach as well, and at the same time keep checking the accepted suggestions just to ensure that everything is going fine.
  Good luck in creating your ASM policies ;).
  BR,
  Mohamed Salah.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

ASM policy building - automatic or manual?

Jonathan - March 2026 Featured Member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

2026 F5 DevCentral MVP Announcement

Recent Discussions

F5 DNS Logs in JSON Format

APM - Portal access - Issue

How to configure ssh access by key on F5OS

ASM/AWAF declarative policy

Help with an iRule to disconnect active connections to Pool Members that are "offline"

Related Content

Post-Quantum Cryptography: Building Resilience Against Tomorrow’s Threats

Building a lab using Proxmox

F5 rSeries: Next-Generation Fully Automatable Hardware

Decrypting BIG-IP Packet Captures Automatically

F5 VELOS: A Next-Generation Fully Automatable Platform

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS