Forum Discussion
No Learning Suggestions But could see Violations in the event logs
- Jun 08, 2023
Hi karthicksankark ,
>>> your Q : The Enforcement Readiness Period is 7 days. After 7 days ony I started looking into the learning suggestions will that be a cause. if so how can i see the current suggestions. ?
Answer : No , you should see suggestions, and let me explain.
First what is the Learning mode that you're using in each Entity ( Entity means >> File types , parameters , URLs ) Learn mode contains ( Never ( Wildcard only ) , selective , Always , and Compact ).
If you want to learn everything in your AWAF , you need to modify it to Always , to see suggestion from each request. and make sure you enable ( Learn Check box ) for each entity.
Also Make sure to enable learn check box in ( Evasion Technique , http compliance and attack signatures )
Till here I answered your Questions of how to get suggestions.
For more info about learning modes , Refer to this Article :
https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/refining-security-policies-with-learning.html
Specially this part :
Also Listen to this Video :
https://www.youtube.com/watch?v=6Qi6kX6iyJ0
After that let me know , if you need anything.
I hope that helps you , GoodLuck 🙂
Hello,
since you are using automatic learning mode, that's means when F5 generates a learning suggestion and its score reaches 100%, F5 will automatically accept this suggestion without waiting for your interception. you can check the policy history to check the changes that are made.
Also, there are some violations that are triggered as illegal requests in the event logs but F5 doesn't generate suggestions for them, you can check the below link for this point:
https://my.f5.com/manage/s/article/K17191923
last point, inside the policy building settings (learning and blocking settings), you can change the mode to advanced for "policy building process" and expand the options section. you will find " HTTP Response Status Codes used to learn traffic" and the default values are 1xx 2xx and 3xx. which means F5 will learn and generate a suggestion for these responses only. you can check the response code for the requests in the event logs, and add response codes in this box accordingly to see the suggestions.
Thanks,
Salah
Hi Salah,
Thanks for the information. Yes, I changed the learning mode to Manual and verified the suggestions that are waiting for my action to accept, delete or ignore.
Thanks Again,
Karthick
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com