I'm thinking something like such
start with the rapid deployment template.
set learning mode to automatic
add some trusted IPs if possible
enable attack signature recommendation tool
and done in 7 days. .
However, a major issue is many people/customers don't like the automatic building and want it to be done manually.
People don't seem to trust the idea of automatic policy building and feel its going to be "less secure" - do you face this issue?
How do you work around this?
Should I increase the loosen policy settings to make it require more sources to accept the traffic? Maybe 30 sources instead of 20?
The source here only considers the source IP right?
In my opinion, choosing automatic or manual depends on who is accessing the service during the learning phase.
If the policy is created and is accessible only from the trusted IPs which are the QA team or developers and not published yet to any external use, so I think you can safely change the learning mode to automatic but also keep monitoring the accepted suggestions. Also, you can increase the staging period for more stability.
But if during the learning phase, there are also requests that are coming from external users, I don't think it is safe to make the learning automatically even if you have added a trusted subnet.
Regarding the "Loosen Policy" settings, the answer is yes. Here is the description:
Loosen Policy: "Specifies the number of sources spread over a time period that must pass in order for the Policy Builder to accept and learn a policy change from traffic."
Hi Mohammed..this is exactly what I was trying to ask..
I feel what you said is a misconception.
Even if the application is public it doesn't mean asm just blindly accepts everything..
It uses statiscal analysis so even if an attack is sent in it won't be learned unless it meets the traffic threshold which is very difficult to meet with just one type of attack traffic.. As it has to be spread across time..
For this topic, it depends on the organization's restrictions. I started my comment with "in my opinion" and it is based on different customers' requirements. It is just an opinion :D, I think there might be more than one approach to be valid.
As per the below article, it is mentioned that "When you use automatic learning mode, it’s tempting to delegate ongoing maintenance of your security policy to Policy Builder, but there is a risk that it may incorrectly interpret and block genuine traffic. Therefore, you should monitor the suggestions it makes for any corrections. This process is a great way to start using and learning about your WAF"
So if the policy is in automatic learning mode, it doesn't mean you can safely ignore and accepted suggestions and leave it working by itself, because it might make an issue or accept wrong suggestions. only in the QA environment and for internal use only, I think you can safely leave it in the automatic learning mode. Else, if there are external requests from external users, I think you shouldn't leave it in the automatic mode, or if you selected this option, you should track and keep checking the accepted suggestions.
yes i got it. .
automatic also seems to enable settings and disable policy settings along with just accepting entities. .with manually I have seen people only focus on the entities and much less on the policy tightening and loosening suggestions though..
i think best would be if they could do just entity learning automatically while disabling the policy tightening part..
This might be a valid approach as well, and at the same time keep checking the accepted suggestions just to ensure that everything is going fine.
Good luck in creating your ASM policies ;).