Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

ASM Not Automatic learning URL, File Type and Paramater.

Hoang_Hung
Cirrus
Cirrus

‎04-Aug-2020 00:02

Hi all

We are deploying ASM module for us Customer. We have create one policy Application Security Policy mode: learning Automatic.

After we have change setting with URL, File Type and Parameter mode: Always. Then we have login to web and try all function for web. But when show learned URL, File Type and Parameter, we not see any it.

 

Please help us.

Thanks you so much

Attach us picture at here.

 

0691T000009hinZQAQ.png

0691T000009hineQAA.png

0691T000009hinjQAA.png

0691T000009hinfQAA.png

0691T000009hinoQAA.png

0691T000009hinpQAA.png

0691T000009hinqQAA.png

Labels:
11 REPLIES 11

Lidev
MVP
MVP

‎04-Aug-2020 06:06 - last edited on ‎24-Mar-2022 01:26 by Fog

Hello  

Is the policy F5-WAF-INTERNET-Policy properly associated with the Virtual Server ?

if you modify the Virtual Server log profile to Log All requests, you see the requests analyzed by ASM (Security ›› Event Logs : Application : Request) ?

 

Regards

0 Kudos

Hoang_Hung
Cirrus
Cirrus
In response to Lidev

‎04-Aug-2020 06:15 - last edited on ‎24-Mar-2022 01:26 by Fog

Thanks  

Is the policy F5-WAF-INTERNET-Policy properly associated with the Virtual Server ? ==> Yep, we have asssociated with Virtual Server.

if you modify the Virtual Server log profile to Log All requests, you see the requests analyzed by ASM (Security ›› Event Logs : Application : Request) ? ==> We have see many request.

But when show learned URL, File Type and Parameter, we not see any it.

example : picture 5, 6, 7

 

 

0 Kudos

Lidev
MVP
MVP
In response to Hoang_Hung

‎05-Aug-2020 00:32

it's weird, no error messages in var/log/asm ? or in var/log/ts/learning_manager.log (only 11x version)

Have you try to restart the BIG-IP ASM process ?

0 Kudos

Hoang_Hung
Cirrus
Cirrus
In response to Hoang_Hung

‎05-Aug-2020 00:34

Yep so weired.

We will try by your solution.

Hehe

0 Kudos

Hoang_Hung
Cirrus
Cirrus
In response to Hoang_Hung

‎05-Aug-2020 02:33

Hi Lidev

If you ok. please remote to my computer and fix with me.

Thanks

0 Kudos

Ivan_Chernenkii
F5 Employee
F5 Employee

‎05-Aug-2020 17:13

Hello Hoang,

 

What version of BIG-IP do you use?

What configuration of "Policy Building Process" on "Security ›› Application Security : Policy Building : Learning and Blocking Settings" do you have?

 

By default we have some thresholds for learning like e.g. we need to get the same new parameter from 20 different source IPs during specific time period (each new IP during new hour)

If you want to add all entities by yourself automatically via learning, then for this period (DO NOT forget to disable it in production), you need to set "Trusted IP Addresses" to "All IP Addresses" in "Policy Building Process" - in such case entities will be automatically added for each request.

You can find status of learning process on "Security ›› Application Security : Policy Building : Traffic Learning" page.

 

Thanks, Ivan

0 Kudos

Hoang_Hung
Cirrus
Cirrus
In response to Ivan_Chernenkii

‎06-Aug-2020 09:08

Thanks Ivan Chernenkii

Thanks you for respone.

We have see some request in Traffic learning but it not enough. 100%.

How do you do reduce for traffic learnning ==> 100% fast.

0691T000009hmNQQAY.png

Thanks Ivan

0 Kudos

Ivan_Chernenkii
F5 Employee
F5 Employee
In response to Hoang_Hung

‎06-Aug-2020 14:23

Hello Hoang,

 

As I see, you use default configuration for "Policy Building Process"

 

Do you use learning in lab (specifically generated 100% correct traffic) or with real traffic?

 

If in lab, then just set set "Trusted IP Addresses" to "All IP Addresses" in "Policy Building Process" and it will get 100% after one request

 

If you use it with real traffic, then I would suggest to wait until you will get 100% with current configuration. It goes slow because you don't have enough untrusted sources (different Client IPs). If you will modify configuration of "Policy Building Process" during real traffic, then incorrect entities can be learned from attacker or bot traffic.

 

But in general, score is counted in this way - by default we should get request with appropriate entity from 20 different sources (Client IPs) and each new IP is added minimum after 1 hour when previous IP was added. So, currently you have 6 untrusted IPs - 100%/20*6=30%. So, to make it fast you need to reduce number of untrusted source in configuration OR reduce time between adding new source.

 

Thanks, Ivan

 

0 Kudos

Hoang_Hung
Cirrus
Cirrus
In response to Hoang_Hung

‎07-Aug-2020 09:41

Thank Ivan

This is response very helpful

Thanks you so much

0 Kudos

Hoang_Hung
Cirrus
Cirrus
In response to Hoang_Hung

‎26-Aug-2020 09:11 - last edited on ‎24-Mar-2022 01:26 by Fog

Hi  

I have a question .

when was parameter auto attach signature ? ( I know i can customize manual attach signature)

After ASM learned parameter with staging No. But I have access it, i can see signatures attached to parmeters

Detail attach picture.

0691T000009i7ZDQAY.png0691T000009i7ZNQAY.png

Thank you.

Hung Hoang

0 Kudos

Ivan_Chernenkii
F5 Employee
F5 Employee
In response to Hoang_Hung

‎31-Aug-2020 23:18

Hoang,

 

I don't see any overridden signature for learned parameter.

Do you mean when signature is disabled for learned parameter?

 

Thanks, Ivan

0 Kudos
Copyright © 2023 Khoros, LLC