Forum Discussion
karthicksankark
Altostratus
AltostratusNo Learning Suggestions But could see Violations in the event logs
Hi All, In our environment we are in process of implementing the ASM policies. For few Policies we are not seeing any learning suggestions. But there are legal and illegal requests but no learning ...
Hi karthicksankark ,
>>> your Q : The Enforcement Readiness Period is 7 days. After 7 days ony I started looking into the learning suggestions will that be a cause. if so how can i see the current suggestions. ?
Answer : No , you should see suggestions, and let me explain.
First what is the Learning mode that you're using in each Entity ( Entity means >> File types , parameters , URLs ) Learn mode contains ( Never ( Wildcard only ) , selective , Always , and Compact ).
If you want to learn everything in your AWAF , you need to modify it to Always , to see suggestion from each request. and make sure you enable ( Learn Check box ) for each entity.
Also Make sure to enable learn check box in ( Evasion Technique , http compliance and attack signatures )
Till here I answered your Questions of how to get suggestions.
For more info about learning modes , Refer to this Article :
https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/refining-security-policies-with-learning.html
Specially this part :
Also Listen to this Video :
https://www.youtube.com/watch?v=6Qi6kX6iyJ0
After that let me know , if you need anything.
I hope that helps you , GoodLuck 🙂
Hi karthicksankark ,
>>> your Q : The Enforcement Readiness Period is 7 days. After 7 days ony I started looking into the learning suggestions will that be a cause. if so how can i see the current suggestions. ?
Answer : No , you should see suggestions, and let me explain.
First what is the Learning mode that you're using in each Entity ( Entity means >> File types , parameters , URLs ) Learn mode contains ( Never ( Wildcard only ) , selective , Always , and Compact ).
If you want to learn everything in your AWAF , you need to modify it to Always , to see suggestion from each request. and make sure you enable ( Learn Check box ) for each entity.
Also Make sure to enable learn check box in ( Evasion Technique , http compliance and attack signatures )
Till here I answered your Questions of how to get suggestions.
For more info about learning modes , Refer to this Article :
https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/refining-security-policies-with-learning.html
Specially this part :
Also Listen to this Video :
https://www.youtube.com/watch?v=6Qi6kX6iyJ0
After that let me know , if you need anything.
I hope that helps you , GoodLuck 🙂
karthicksankarkThanks Mohamed for the detailed information.
I afraid to set the learning mode to always. Will it impact on ASM performance ? If not I can make the changed and observe.
Thanks,
Karthick Sankar
It's not really that impact,
Let we try another thing,
First >>> Learning suggestions >> will appear with some samples of traffic that violate the setting of ( HTTP Compliance , Evaison Technique and attack signatures ) and Wildcard setting of ( File types , Parameters , URL ).
So you sould see learning suggestions , it appears with high number if your change the Learn mode to always that's right.
Second >>> Tell me about the Violations that appear to you without learning suggestions , could you please to send the violation name.
But again any request violates the ASM policy and blocking settings should appear in suggestions but with some samples of that request not only one sample of it.
Third >>> make sure that you haven't selected Compact method in learning mode , make sure it's ( Never , Always or selective )..
Try that and tell me.