ASM policy building with automatic versus manual suggestions

This period is intended to observe enough traffic (requests for entities such as file types, URLS, parameters,) to help you sort out false positive violations from actual threats. During this period, entities and attack signatures are in a mode called "staging" which prevents legitimate requests which triggered a violation from getting blocked. After 7 days, entities are ready to be enforced if no violations have been seen by ASM. If the entity (or attack signature) is enforced, and the policy is in blocking mode, then the next requests that triggers a violation related to it will be blocked. It is recommended that you run traffic (ideally from a trusted IP address) in order to expedite the learning process. If that is impossible, you will have to manually review violations (you can do it from the Enforcement Readiness Summary screen), or configure high enough thresholds for requests from different IP addresses and/or sessions to let the automatic policy builder do it for you. If you are using the Rapid Deployment template, most of your violations will be related to attack signatures or RFC violations.