Forum Discussion
No Learning Suggestions But could see Violations in the event logs
- Jun 08, 2023
Hi karthicksankark ,
>>> your Q : The Enforcement Readiness Period is 7 days. After 7 days ony I started looking into the learning suggestions will that be a cause. if so how can i see the current suggestions. ?
Answer : No , you should see suggestions, and let me explain.
First what is the Learning mode that you're using in each Entity ( Entity means >> File types , parameters , URLs ) Learn mode contains ( Never ( Wildcard only ) , selective , Always , and Compact ).
If you want to learn everything in your AWAF , you need to modify it to Always , to see suggestion from each request. and make sure you enable ( Learn Check box ) for each entity.
Also Make sure to enable learn check box in ( Evasion Technique , http compliance and attack signatures )
Till here I answered your Questions of how to get suggestions.
For more info about learning modes , Refer to this Article :
https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/refining-security-policies-with-learning.html
Specially this part :
Also Listen to this Video :
https://www.youtube.com/watch?v=6Qi6kX6iyJ0
After that let me know , if you need anything.
I hope that helps you , GoodLuck 🙂
I personally dont like the automatic learning modes due to the fact that if a hacker or someone meaning to do harm to your system all they need to do if generate enough traffic from different IP addressses and it will automatically be added to your policy. have you checked if alarm and learn are both checked since I have seen learning suggestions not pop when the alarm is not set ? also if you have told ASM in the past to forget about the event it will not show back up.
Hi Jim! This post caught my attention because I have been struggling something that may be similar. I recently configured several new AWAF policies – all initially with the exact same attributes - just assigned to different virtual servers. For most, I am seeing learning suggestions as expected. But for one of these, even though there is lots of traffic being logged remotely and showing up in the local events log – with lots of alerted violations, I’m seeing no learning suggestions. The thing that is unusual about this particular policy is that the site is permitted for only a restricted list of users, and so far, all of the logged traffic has originated from a single IP. I noticed in your response above, the phrase: “all they need to do if generate enough traffic from different IP addresses”. Now I’m wondering if this is a clue to my problem. Am I correct to infer that traffic must arrive from multiple sources in order to be “learned”?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com