Setting up learning in the ASM

Hi,

 

 

There are probably a few schools of thought on this. F5 is trying to provide automated tools to build a policy (the policy builder). For our customers, we use the Traffic Learning tool and manual policy edits instead as these methods provide fairly granular and specific ways to modify the policy. The automated tools have improved a lot in recent versions, so you might want to give that a try too.

 

 

The Getting Started guide and the Configuration Guide should give you some background on your options:

 

 

BIG-IP Application Security Manager: Getting Started Guide

 

https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_get_start_10.html

 

 

Configuration Guide for BIG-IP Application Security Management

 

https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_config_10.html

 

 

Aaron

Thanks Hoolio.

 

 

We are running 9.4.x. Also, if the ASM module is disabled, isent learning disabled along with it? Can learning be enabled while ASM is disabled?

 

 

Learning and blocking are configurable per violation type. You can put all checks in transparent mode or just some checks. If one or more checks are in transparent mode, ASM can still provide learning suggestions without blocking a request or response which triggers the violation.

 

 

You can configure this per policy under App Security | Policy | Blocking | Settings. Note the three columns on the right: Learn, Alarm and Block. The online help and the ASM Configuration Guide provide additional detail on these options.

 

 

Aaron

Learning feature is great when developing a new policy. For examploe, most of the times you don't get the correct paramater data types from the programmers and learning let you to easily add new exceptions. Also, when blocking non-existing objects, etc.

 

 

I recommend you to give it a try!

 

 

Javi.