Enforcement readiness Period

Hi,

During the enforcement readiness period, the security policy provides learning suggestions when it processes requests that do not meet the security policy; but the security policy does not alert or block that traffic, even if those requests trigger violations. If you enforce policy entry it starts blocking.

Hi Vitaliy,

Thanks for your reply.... I did get this part that till the transparent mode is on nothing is blocked... What I wanted to know is that if I have set the learning period to 7 days (default). After 7 days are over still the policy is in Transparent mode what happens to the learning does it still continue or the box stops learning after 7 days or it gets over written or what exactly??

Hi Vitaliy,

Thanks for your reply.... I did get this part that till the transparent mode is on nothing is blocked... What I wanted to know is that if I have set the learning period to 7 days (default). After 7 days are over still the policy is in Transparent mode what happens to the learning does it still continue or the box stops learning after 7 days or it gets over written or what exactly??

Hi,

the Policy still be in transparent mode. Policy builder may runs after this period of time and if a pre-defined minimum amount of traffic was processed, the Policy Builder automatically enables the security policy entities and the attack signatures.

Hi,

short answer: the policy remains in lerning mode.

The learning method is always violation based. As long the "learn" option is enabled (is default with manual policies like Rapid Deployment), every request that violates the policy, will raise a learning suggestion.

note: if you look at "blocking/settings" for the given ASM-Policy you can see and change the behaviour for each violation individually. "learn" - will raise the learning suggestion "alarm" - this request will be logged "block" - this request will be blocked (only if the policy is set to block-mode)

If staging is active for specific policy objects or signatures, then the enforcement readiness period defines how long this object will be observed. Policy objects which are in staging will not ends with blocking the request, but will raise a learning suggestion.

Cheers Stephan

as per my understanding, and please guys correct me if I'm wrong, within the period the mode is learning, once period over mode will be block

Hi,

yes and no...

During the enforcement readiness period all changes to an object (signature match, request size change, ...) will be learned (learning suggestion) and you can keep or discard them (policy building - manual traffic learning). If the period is over, all objects will be marked as "ready to be enforced" and you can enforce them. But, if the policy is in transparent mode, then it remains in transparent mode, regardless of the enforcement readiness period.

Further, the learning method is always violation based. That means as long the "learn" option (blocking/settings) is active and you have not ignored this violation, the policy will learn every request that violate the policy. It depends on the policy mode (block or transparent), if this request will be blocked or not (except during the enforcement readiness period).

Cheers Stephan

Thanks guys for this info... just need some more clarification... If the staging period is over and under policies if i still keep the boxes checked for Learn, Alarm and Blocked for all three what will happen... and what is suggested when putting the policy in blocking mode.

Also do I have to individually go to each of the things like Signature and then meta characters and all and put all of them in blocking mode from staging mode..

Hi,

ok, let me clarify this...

When objects or attack signatures are in staging, the system does not enforce them. Instead, the system creates learning suggestions for each violation. The enforcement readiness period defines how long these objects will be observed and not enforced.

If the policy is in transparent mode (this mode does not change if the enforcement readiness period has ended...) then the policy will not block any request/violation. If the "learn" action is active, the system creates learning suggestions for each violation. If there are some objects in staging, the system creates learning suggestions based on this too (if there related violatons).

If the policy is in blocking mode (again, this mode does not change if the enforcement readiness period has ended...), all violations will be blocked (if the "block" action is active per violation), except for objects which are in staging (see above). The system creates learning suggestions for all violations (if the "learn" action is active) and objects which are in staging.

Staging gives you the possibility to tune objects without blocking the requests. Even if the policy enforcement mode is block.

When the enforcement readiness period is over and no learning suggestions are added, all objects which are in staging will marked as "ready to be enforced" (file type, URL, parameter, signature, ...). There is a enforcement readiness summary page, where you can enforce selected or all objects.

Cheers Stephan

Thanks Stephan for the detailed answer...