Forum Discussion
Why "Do not enable both staging and Add All Entities in the same wildcard entity" ?
- Apr 18, 2017
Mode: Add all Entities
In this mode the wildcard allows ASM to learn new entities. When the policy is enforced the wildcards will be removed. So enabling staging on the wildcard serves no purpose since its going to be removed anyway. Anything the wildcard itself may have learned in staging will disappear when they are removed. Its just adding more work for ASM thats not needed.
As ASM learns new entities in this mode they are added in staging and they immediately begin the Enforcement Readiness Period. During this time ASM watches for any attributes of an entities that may need to be adjusted. If they do, the clock starts over. It is not until the end of the Enforcement Readiness Period, where no changes have been suggested for the attributes, is when ASM will recommend you enforce an entity.
Steph, this is because Staging tunes an entity once it's in a policy. If you are adding all entities then there is no need to tune the wildcard, you tune the specific entities e.g. file types.
Let's take File Types. If you select "Add all entities" you will be prompted to add the file types in the learning process. Once in the policy, staging is enabled so they can be tuned for the file type properties i.e. URL Length, Request Length etc. Potentially each file type will have a different set of properties. Whist in staging no traffic will be potentially blocked and, once you're happy that there have been no violations you can take a file type out of staging. If a wildcard is in staging as well, then effectively you will change the length properties for the wildcard based on all the different file types length properties - which isnt what you would want.
Hope this makes sense.
N
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com