Forum Discussion

saidshow_251381's avatar
saidshow_251381
Icon for Cirrostratus rankCirrostratus
Feb 25, 2016

"Have Suggestions" Vs "Ready To Be Enforced"

Hi,

 

I am hoping to clarify my understanding of the 2 categories, "Have Suggestions" and "Ready to be Enforced" on the Enforcement Readiness page for an ASM policy.

 

My thoughts at this stage are that those in "Ready to be Enforced" have not been triggered for the defined period of time and as a result should be able to be enforced with very little likelihood of causing an issue for real traffic.

 

What appears in the "Have Suggestions" category has triggered alarms and each of these items should be individually reviewed to ensure it is a false positive or normal application behaviour (in this case Disable) or if the attempt is malicious that ensure that the rule is enforced.

 

Any clarification of this information would be greatly appreciated. I have a policy with hundreds of 'Ready to Enforced' items and I want to enforce all however I am concerned that my understanding may be incorrect and that this could cause an issue if I enforce these items on the ASM policy.

 

Thank you in advance.

 

  • Can you clarify what you mean by "effect traffic"? If your policy is in blocking mode, and then you enforce signatures, any request that triggers an enforced signature will be blocked. So that traffic will be effected. If you enforce signatures and the policy is in transparent mode, then no blocking will occur even if a signature is triggered. Make sense?

     

  • You are exactly right. When the configured enforcement readiness period expires for each staged entity or violation item, ASM will move the item to the Ready To Be Enforced column--as long as no violations have been triggered for the staged item. Let's use an attack signature as an example. If an attack signature has not been triggered for the duration of the enforcement readiness period (7 days for example), the rationale is that if and when it finally gets triggered it is because of a malicious request.

     

    If ASM has detected changes in staged entity attributes, or the appearance of new entities, and/or if attack signatures have been triggered, a link to learning suggestions—actions which will result in policy modification—is provided in the Have Suggestions column.