ASM policy building with automatic versus manual suggestions

Because applications vary greatly in complexity, and because different applications are vulnerability to different threats, you have options for finding the best balance of protection and policy maintenance for your organization. Think of ASM as the ultimate toolkit for securing your application--and in the same way that you wouldn't use all the tools in a Swiss army knife at once, you won't deploy ASM with all its features at once either. Some administrators know in advance that they have little time for managing security policies. This is why the "automatic" deployment scenario exists. In this scenario, over time, ASM will make all the decisions about which violations should be blocked, or which violations should be allowed (because maybe they're not violations after all), without any human intervention. This is the recommended deployment scenario, and is listed first in the Deployment Wizard. The second method is to create policy manually, or use templates. If you choose the manual method, and then select None, you are telling ASM that you want full control of the security policy building process. This means that nothing will happen automatically.If you use a template, such as Rapid Deployment, you can secure your application from the vast majority of common vulnerabilities by relying on the sophisticated attack signatures, evasion detection, and RFC-compliance offered by that template. This is a good foundation for any security policy. But it will not offer the same level of protection as a policy which secures each file type, each parameter, each URL, etc., that might be exploitable in your app. These elements must be learned and secured over time--either automatically, or by an informed administrator. A good place to start is the free "Getting Started with ASM" course on F5 University.