Forum Discussion
AltostratusObjectif of Learning mode in ASM
Hi,
I am new in F5 ASM,
As I think, ASM can block attacks by himself based on many rules and signatures. So my question is what's the objectif of integrated Learning Mode inSecurity Policy ?
Thanks
HoussNet ,
If I enable Staging for Attack signature or any of Entities , I Tell F5 ASM " Do not Block traffic violates this attack signature/or matched entity "
Learning mode is a concept we call it when our service still under testing not on air/or production service for all users , and ofcourse you should enable statging in this mode , to learn traffic without interruption of blocking a legitimate traffic.
you can enable Staging for Entites as way in the process of learning to make F5 not to Block any traffic violates these Entites , and when learning period completes you can enforce " Disable Staging" these Entity , this depends on what the type of learning ( Automatic/Manual) Learning.
I want to say that Staging is one of 3 ways permits/allows traffic that match any of staged entites or attack signatures.
I hope you have gotten it now.
Feel free to reach out with me.
Regards
5 Replies
Hi HoussNet ,
Learning mode in F5 ASM : is only a Concept not an indication that F5 ASM will block or permit malicious traffic.
F5 ASM blocks/allows traffic based on :>Transparent/Blocking mode.
> "Block" option enabled or not under each item in blocking and learning settings page.
> if there Staged entity or not in statging.
So F5 takes block action if you configure :
- policy mode : Blocking
- enable "block" option under needed items/Entities ( File types , urls , Attack signatures , parameters ...etc.)
- disable Staging under needed items ( Attack signature ) or learned Entites ( parameters , filetypes , URLs .... etc and thire Wildcards "*" )F5 Allow traffic if you change Policy mode to be transparent even it was malicious traffic , this for the whole policy and I think this is option that you Call it Learning mode ".
Also If you are in Blocking mode and disabled "block" option under items/Entities which locate in ( Blocking and learning settings Page ) F5 allows any traffic violates (entities/items) , also if you enabled Stagging under each entity, if do not take a block action against it if you configure your policy in blocking mode .. OK !> I want to say Also F5 can learn entities from traffic in blocking mode , this depend on if you enable "learn" option under each Items/Entites.
> Read this Article to find out more about F5 ASM :
your Question is much generic , Please let me know if you have another point of view or clarify more your request.
Regards
HoussNetThanks for your reply, for me I'm confused between Staged mode and Learning mode.
I will read your shared article
Best Regards
HoussNet ,
If I enable Staging for Attack signature or any of Entities , I Tell F5 ASM " Do not Block traffic violates this attack signature/or matched entity "
Learning mode is a concept we call it when our service still under testing not on air/or production service for all users , and ofcourse you should enable statging in this mode , to learn traffic without interruption of blocking a legitimate traffic.
you can enable Staging for Entites as way in the process of learning to make F5 not to Block any traffic violates these Entites , and when learning period completes you can enforce " Disable Staging" these Entity , this depends on what the type of learning ( Automatic/Manual) Learning.
I want to say that Staging is one of 3 ways permits/allows traffic that match any of staged entites or attack signatures.
I hope you have gotten it now.
Feel free to reach out with me.
Regards
- HoussNet
Thanks Mohamed to share your knowledge, I think that'a many ideas became clear in my mind.
Best Regards
That's a great news, go on brother.
