Forum Discussion
Objectif of Learning mode in ASM
Hi,
I am new in F5 ASM,
As I think, ASM can block attacks by himself based on many rules and signatures. So my question is what's the objectif of integrated Learning Mode inSecurity Policy ?
Thanks
HoussNet ,
If I enable Staging for Attack signature or any of Entities , I Tell F5 ASM " Do not Block traffic violates this attack signature/or matched entity "
Learning mode is a concept we call it when our service still under testing not on air/or production service for all users , and ofcourse you should enable statging in this mode , to learn traffic without interruption of blocking a legitimate traffic.
you can enable Staging for Entites as way in the process of learning to make F5 not to Block any traffic violates these Entites , and when learning period completes you can enforce " Disable Staging" these Entity , this depends on what the type of learning ( Automatic/Manual) Learning.
I want to say that Staging is one of 3 ways permits/allows traffic that match any of staged entites or attack signatures.
I hope you have gotten it now.
Feel free to reach out with me.
Regards
Hi HoussNet ,
Learning mode in F5 ASM : is only a Concept not an indication that F5 ASM will block or permit malicious traffic.
F5 ASM blocks/allows traffic based on :>Transparent/Blocking mode.
> "Block" option enabled or not under each item in blocking and learning settings page.
> if there Staged entity or not in statging.
So F5 takes block action if you configure :
- policy mode : Blocking
- enable "block" option under needed items/Entities ( File types , urls , Attack signatures , parameters ...etc.)
- disable Staging under needed items ( Attack signature ) or learned Entites ( parameters , filetypes , URLs .... etc and thire Wildcards "*" )F5 Allow traffic if you change Policy mode to be transparent even it was malicious traffic , this for the whole policy and I think this is option that you Call it Learning mode ".
Also If you are in Blocking mode and disabled "block" option under items/Entities which locate in ( Blocking and learning settings Page ) F5 allows any traffic violates (entities/items) , also if you enabled Stagging under each entity, if do not take a block action against it if you configure your policy in blocking mode .. OK !> I want to say Also F5 can learn entities from traffic in blocking mode , this depend on if you enable "learn" option under each Items/Entites.
> Read this Article to find out more about F5 ASM :
your Question is much generic , Please let me know if you have another point of view or clarify more your request.
Regards- HoussNetAltostratus
Thanks for your reply, for me I'm confused between Staged mode and Learning mode.
I will read your shared article
Best Regards
HoussNet ,
If I enable Staging for Attack signature or any of Entities , I Tell F5 ASM " Do not Block traffic violates this attack signature/or matched entity "
Learning mode is a concept we call it when our service still under testing not on air/or production service for all users , and ofcourse you should enable statging in this mode , to learn traffic without interruption of blocking a legitimate traffic.
you can enable Staging for Entites as way in the process of learning to make F5 not to Block any traffic violates these Entites , and when learning period completes you can enforce " Disable Staging" these Entity , this depends on what the type of learning ( Automatic/Manual) Learning.
I want to say that Staging is one of 3 ways permits/allows traffic that match any of staged entites or attack signatures.
I hope you have gotten it now.
Feel free to reach out with me.
Regards
- HoussNetAltostratus
Thanks Mohamed to share your knowledge, I think that'a many ideas became clear in my mind.
Best Regards
That's a great news, go on brother.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com