No Sample Requests are "found" in v12 ASM Traffic Learning

do you have a logging profile attached to the virtual server? one that logs illegal attempts locally will help a lot.

As boneyard indicates, a logging profile which logs either all requests or illegal requests locally should help you locate requests in Event Logs: Application Requests. If you see items in the request log, but not on the Traffic Learning screen, then you have a different problem. Go to Learning and Blocking settings, and verify if the violations you would like to track have the checkbox for "Learn" selected. If the Learn checkbox is not selected, then you will not see any learning suggestions on the Traffic Learning screen for those violations.

First determine if your logging profile is logging all requests, or illegal requests. For testing, start out by logging all requests. If you are passing traffic, go to Learning and Blocking settings, and then ensure that the "Learn" checkbox is selected for all violations for which you would like to see a learning suggestion. What are the Learn, Block, and Alarm settings for Illegal Metacharacter?

Make sure that the signatures are really enforced, especially after a signature update. New signatures should be in staging.If the signatures apply to parameters, double-check that parameter values are correct and also enforced. If you are having trouble with malicious traffic you should open a support case.

Hello, What would be the reason when logging profile is attached and "Learn" checkbox is selected for all violations and still do not get events in traffic learning, "No samples found in requests list"?

The logging profile determines if all requests or illegal requests only will appear in Security: Event Logs: Application: Requests. It does not control whether or not learning suggestions will appear on the Traffic Learning screen. If you are not seeing any learning suggestions, it may be because there aren't any violations. Troubleshoot by first verifying that you have selected the correct application language encoding for your security policy, then verify that traffic is actually passing from the client to the virtual server, then verify that you have assigned the correct security policy to the correct virtual server. Also, is it possible that the policy has already generated suggestions and they have either been accepted or ignored? If you send a request, do you see anything in /var/log/asm? The rule of thumb is that ASM is doing exactly what you told it to do...

Hello Erik, The part of them do not appear , there are logs in traffic learning but not all, I could not say that I do not get any request. for example :0 sample requests out of 74 that triggered the suggestion from 2017-07-03 17:29:41 until 2017-08-31 15:12:29 , and "No samples found in requests list" is shown in the traffic learning windows. The only reason I am thinking of is local storage is not capable to keep all those logs and it clears when it reaches 2 GB.

Perhaps you have set the violation to "ignore".

For example if you choose "Ignore Suggestion" for a TrafficLearning entry "Illegal method / HTTP-HEAD" all other illegal method violations will be igonored too even if it was caused by another illegal HTTP-methd!

Hi

I'm facing the exact same issue, ie :

• My policy is in blocking mode
• My attack signatures are in staging
• I have a "log illegal request only" logging profile attached to my virtual server
• All my attacks signatures have the learn, alarm, block flag enabled

However, while reviewing learning suggestion regarding an attack signature (in this case 200101421 - onEvent (Header)) I do not see the requests that trigger this learning suggestion. I have "0 simple requests out of 142 that triggered the suggestion from 2019-03-05 unitil 2019-03-30 21:30:25"

If the reason I'm not seeing the requests is a local storage issue . Could you please tell how do I check the remaining local storage capacity ? and how the bigip handle the local storage once there is no space left ?

Many thanks, Karim

Hi

I'm facing the exact same issue, ie :

• My policy is in blocking mode
• My attack signatures are in staging
• I have a "log illegal request only" logging profile attached to my virtual server
• All my attacks signatures have the learn, alarm, block flag enabled

However, while reviewing learning suggestion regarding an attack signature (in this case 200101421 - onEvent (Header)) I do not see the requests that trigger this learning suggestion. I have "0 simple requests out of 142 that triggered the suggestion from 2019-03-05 unitil 2019-03-30 21:30:25"

If the reason I'm not seeing the requests is a local storage issue . Could you please tell how do I check the remaining local storage capacity ? and how the bigip handle the local storage once there is no space left ?

Many thanks, Karim