Forum Discussion

HoussNet's avatar
HoussNet
Icon for Altostratus rankAltostratus
Dec 07, 2022

Objectif of Learning mode in ASM

Hi,
I am new in F5 ASM,

As I think, ASM can block attacks by himself based on many rules and signatures. So my question is what's the objectif of integrated Learning Mode inSecurity Policy ?

Thanks

  • HoussNet , 
    If I enable Staging for Attack signature or any of Entities , I Tell F5 ASM " Do not Block traffic violates this attack signature/or matched entity " 

    Learning mode is a concept we call it when our service still under testing not on air/or production service for all users , and ofcourse you should enable statging in this mode , to learn traffic without interruption of blocking a legitimate traffic.

    you can enable Staging for Entites as way in the process of learning to make F5 not to Block any traffic violates these Entites , and when learning period completes you can enforce " Disable Staging" these Entity , this depends on what the type of learning ( Automatic/Manual) Learning. 

    I want to say that Staging is one of 3 ways permits/allows traffic that match any of staged entites or attack signatures. 

    I hope you have gotten it now. 
    Feel free to reach out with me. 

    Regards

  • Hi HoussNet , 
    Learning mode in F5 ASM : is only a Concept not an indication that F5 ASM will block or permit malicious traffic. 
    F5 ASM blocks/allows traffic based on : 

    >Transparent/Blocking mode. 

    > "Block" option enabled or not under each item in blocking and learning settings page.

    > if there Staged entity or not in statging. 

    So F5 takes block action if you configure : 
    - policy mode : Blocking
    - enable "block" option under needed items/Entities ( File types , urls , Attack signatures , parameters ...etc.)
    - disable Staging under needed items ( Attack signature ) or learned Entites ( parameters , filetypes , URLs .... etc and thire Wildcards "*" ) 

    F5 Allow traffic if you change Policy mode to be transparent even it was malicious traffic , this for the whole policy and I think this is option that you Call it Learning mode ". 
    Also If you are in Blocking mode and disabled "block" option under items/Entities which locate in ( Blocking and learning settings Page ) F5 allows any traffic violates (entities/items) , also if you enabled Stagging under each entity, if do not take a block action against it if you configure your policy in blocking mode .. OK ! 

    > I want to say Also F5 can learn entities from traffic in blocking mode , this depend on if you enable "learn" option under each Items/Entites. 

    > Read this Article  to find out more about F5 ASM :

     https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/25.html

    your Question is much generic , Please let me know if you have another point of view or clarify more your request.

    Regards 

    • HoussNet's avatar
      HoussNet
      Icon for Altostratus rankAltostratus

      Hi Mohamed_Ahmed_Kansoh 

      Thanks for your reply, for me I'm confused between Staged mode and Learning mode.

      I will read your shared article

      Best Regards

      • HoussNet , 
        If I enable Staging for Attack signature or any of Entities , I Tell F5 ASM " Do not Block traffic violates this attack signature/or matched entity " 

        Learning mode is a concept we call it when our service still under testing not on air/or production service for all users , and ofcourse you should enable statging in this mode , to learn traffic without interruption of blocking a legitimate traffic.

        you can enable Staging for Entites as way in the process of learning to make F5 not to Block any traffic violates these Entites , and when learning period completes you can enforce " Disable Staging" these Entity , this depends on what the type of learning ( Automatic/Manual) Learning. 

        I want to say that Staging is one of 3 ways permits/allows traffic that match any of staged entites or attack signatures. 

        I hope you have gotten it now. 
        Feel free to reach out with me. 

        Regards

  • Thanks Mohamed to share your knowledge, I think that'a many ideas became clear in my mind.

    Best Regards