cancel
Showing results for 
Search instead for 
Did you mean: 

ASM Not Automatic learning URL, File Type and Paramater.

Hoang_Hung
Altostratus
Altostratus

Hi all

We are deploying ASM module for us Customer. We have create one policy Application Security Policy mode: learning Automatic.

After we have change setting with URL, File Type and Parameter mode: Always. Then we have login to web and try all function for web. But when show learned URL, File Type and Parameter, we not see any it.

 

Please help us.

Thanks you so much

Attach us picture at here.

 

0691T000009hinZQAQ.png

0691T000009hineQAA.png

0691T000009hinjQAA.png

0691T000009hinfQAA.png

0691T000009hinoQAA.png

0691T000009hinpQAA.png

0691T000009hinqQAA.png

11 REPLIES 11

Lidev
MVP
MVP

Hello  

Is the policy F5-WAF-INTERNET-Policy properly associated with the Virtual Server ?

if you modify the Virtual Server log profile to Log All requests, you see the requests analyzed by ASM (Security ›› Event Logs : Application : Request) ?

 

Regards

Thanks  

Is the policy F5-WAF-INTERNET-Policy properly associated with the Virtual Server ? ==> Yep, we have asssociated with Virtual Server.

if you modify the Virtual Server log profile to Log All requests, you see the requests analyzed by ASM (Security ›› Event Logs : Application : Request) ? ==> We have see many request.

But when show learned URL, File Type and Parameter, we not see any it.

example : picture 5, 6, 7

 

 

it's weird, no error messages in var/log/asm ? or in var/log/ts/learning_manager.log (only 11x version)

Have you try to restart the BIG-IP ASM process ?

Yep so weired.

We will try by your solution.

Hehe

Hi Lidev

If you ok. please remote to my computer and fix with me.

Thanks

Ivan_Chernenkii
F5 Employee
F5 Employee

Hello Hoang,

 

What version of BIG-IP do you use?

What configuration of "Policy Building Process" on "Security ›› Application Security : Policy Building : Learning and Blocking Settings" do you have?

 

By default we have some thresholds for learning like e.g. we need to get the same new parameter from 20 different source IPs during specific time period (each new IP during new hour)

If you want to add all entities by yourself automatically via learning, then for this period (DO NOT forget to disable it in production), you need to set "Trusted IP Addresses" to "All IP Addresses" in "Policy Building Process" - in such case entities will be automatically added for each request.

You can find status of learning process on "Security ›› Application Security : Policy Building : Traffic Learning" page.

 

Thanks, Ivan

Thanks Ivan Chernenkii

Thanks you for respone.

We have see some request in Traffic learning but it not enough. 100%.

How do you do reduce for traffic learnning ==> 100% fast.

0691T000009hmNQQAY.png

Thanks Ivan

Hello Hoang,

 

As I see, you use default configuration for "Policy Building Process"

 

Do you use learning in lab (specifically generated 100% correct traffic) or with real traffic?

 

If in lab, then just set set "Trusted IP Addresses" to "All IP Addresses" in "Policy Building Process" and it will get 100% after one request

 

If you use it with real traffic, then I would suggest to wait until you will get 100% with current configuration. It goes slow because you don't have enough untrusted sources (different Client IPs). If you will modify configuration of "Policy Building Process" during real traffic, then incorrect entities can be learned from attacker or bot traffic.

 

But in general, score is counted in this way - by default we should get request with appropriate entity from 20 different sources (Client IPs) and each new IP is added minimum after 1 hour when previous IP was added. So, currently you have 6 untrusted IPs - 100%/20*6=30%. So, to make it fast you need to reduce number of untrusted source in configuration OR reduce time between adding new source.

 

Thanks, Ivan

 

Thank Ivan

This is response very helpful

Thanks you so much

Hi  

I have a question .

when was parameter auto attach signature ? ( I know i can customize manual attach signature)

After ASM learned parameter with staging No. But I have access it, i can see signatures attached to parmeters

Detail attach picture.

0691T000009i7ZDQAY.png0691T000009i7ZNQAY.png

Thank you.

Hung Hoang

Hoang,

 

I don't see any overridden signature for learned parameter.

Do you mean when signature is disabled for learned parameter?

 

Thanks, Ivan