Forum Discussion

Altostratus

Jun 08, 2023

No Learning Suggestions But could see Violations in the event logs

Hi All, In our environment we are in process of implementing the ASM policies. For few Policies we are not seeing any learning suggestions. But there are legal and illegal requests but no learning ...

ASM Learning Suggestions

security

Mohamed_Ahmed_Kansoh
Jun 08, 2023
Hi karthicksankark ,

>>> your Q : The Enforcement Readiness Period is 7 days. After 7 days ony I started looking into the learning suggestions will that be a cause. if so how can i see the current suggestions. ?

Answer : No , you should see suggestions, and let me explain.

First what is the Learning mode that you're using in each Entity ( Entity means >> File types , parameters , URLs ) Learn mode contains ( Never ( Wildcard only ) , selective , Always , and Compact ).

If you want to learn everything in your AWAF , you need to modify it to Always , to see suggestion from each request. and make sure you enable ( Learn Check box ) for each entity.

Also Make sure to enable learn check box in ( Evasion Technique , http compliance and attack signatures )

Till here I answered your Questions of how to get suggestions.

For more info about learning modes , Refer to this Article :
https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/refining-security-policies-with-learning.html
Specially this part :

Also Listen to this Video :
https://www.youtube.com/watch?v=6Qi6kX6iyJ0

After that let me know , if you need anything.

I hope that helps you , GoodLuck 🙂

JimSellers

Nimbostratus

I personally dont like the automatic learning modes due to the fact that if a hacker or someone meaning to do harm to your system all they need to do if generate enough traffic from different IP addressses and it will automatically be added to your policy. have you checked if alarm and learn are both checked since I have seen learning suggestions not pop when the alarm is not set ? also if you have told ASM in the past to forget about the event it will not show back up.

karthicksankark

Altostratus

Jun 09, 2023

Hi Thanks for the heads up on the risk in the automatic learning mode. Will opt for manual learning mode.

I double checked the entities that have both learn and alarm enabled.

In the logging I have used log illegal requests profile.

Thanks,

Karthick

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

No Learning Suggestions But could see Violations in the event logs

Recent Discussions

APM with EntraID as idP / request signed

Should config via cli rather than gui?

Background Tasks

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Community Learning Path: Multi-Cloud Networking

Cisco ACI Endpoint Learning with a BIG-IP HA Failover

Community Learning Path: Web Application and API Protection (WAAP)

Parsing tmsh command output with Python TextFSM module and some Lessons learned

Violation not ASM learning suggestions

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS