Forum Discussion
NimbostratusF5 ASM/AWAF – violations logged but no learning suggestions generated
Hey everyone, running into a strange behavior with F5 ASM and hoping someone has seen this before.
Setup:
- Explicit/closed parameter list (only allowed parameters defined, everything else triggers a violation)
- "Illegal Parameter" violation has Learn + Alarm + Block all enabled
- Parameter learning mode is set to Always
- Violations are appearing correctly in the event logs
- no blocked IP addresses exceptions
The Problem:
Despite all of the above, no learning suggestions are being generated for the illegal parameter violations except one on the Traffic Learning page.
What I noticed:
After digging through the logs, I found a pattern:
- the one request that triggered only the illegal parameter violation (with a valid URL) → learning suggestion WAS generated
- Requests that triggered illegal parameter + illegal URL or illegal file type simultaneously → no learning suggestion generated
The vast majority of my traffic falls into the second category, which is why the suggestions page looks empty.
My question:
Is there any documented behavior in ASM/AWAF where requests triggering multiple severe violations (illegal URL + illegal file type + illegal parameter together) are suppressed from generating learning suggestions? Or is something else going on here?
Has anyone run into this and found a workaround other than manually adding parameters from the event log?
Thanks in advance.
3 Replies
- boneyard
MVP
I believe this article explains that certain illegal objects don't create learning suggestions.
https://my.f5.com/manage/s/article/K17191923
The way I look at it is that making something illegal is an active choice, you say these things aren't not allowed period. So then you don't want learning to be able to enable them again.
A_hassaneinThanks for your reply boneyard.
Firt of all the violation i mentioned in the post "illegal parameter" is not unlearnable in the article you've mentioned.
I also want to make it clear that the proplem is our policy is configured to learn parameters in an allow list "positive security" and the parameter names in the violation requests are not explicitly disallowed in the policy, So it's odd that the learning of ASM doesn't suggest adding them in the allow list and the learning mode for parameters is always BTW.- Nikoolayy1
Do you still have a wildcard parameter * to capture all not explicitly configured parameters ? Is your policy builder in automatic mode with auto accept ? Even if it is then if the traffic is not trusted then it will take many requests to be auto allowed and this is why trusted ip jumphosts are used.
