ASM Policy Building Suggestions

Thanks @boneyard. I am working on the sandbox environment, not production. I try to figure out what is the best way to simulate the production traffic. Do you normally have a sandbox testing environment to test out the policies? My understanding is that if I choose "automatic" security policy, ASM will build the security policies on the fly based on the behaviors of the application. But I am not sure if the learning will be different on the REST API? I appreciate for your inputs. Thanks!!