AltostratusI am very new to ASM and enabled a security policy with 'Automatic' learning mode and 'Transparent' enforcement Mode. Learning speed is medium and period was 14 days which I had extended for around 30 days. Now I have around 5k entries in traffic learning page. Confused how to proceed further.
Can anyone help me out?
NimbostratusI started building security policies for 10 of my applications 7 months ago. And one of the applications is now at 99%.
When it comes to automatic policy builder, the general progress all depends upon the amount of traffic that is learned and enforced by the ASM. After we learn entities, the general progress in the policy builder won't be made until we have enforced entities that we learn (which comes down to meeting the criteria specified in the Tighten settings).
When policy builder is enabled, it will learn for entities from the traffic that it gets once the criteria specified in 'Accept as Legitimate (Loosen)' in the policy builder settings is met. Until we get the specified amount of traffic, we won't learn it as an entity within the policy. Once we have learned the traffic, next comes the enforcing them (even if PB enforces them and the objects are ready to be enforced, they won't actually be "enforced" until Enforcement Readiness Period is over).
For the entities or elements (that have been learned) to be "enforced", it'll be done by the policy builder only after it has met the criteria specified in the policy builder settings. If they haven't met those criteria, then they won't be enforced by policy builder automatically (because the criteria under Tighten settings haven't been met) but rather will need to be enforced by admin user (or any user, really) manually.
If an entity meets the criteria of Stabilize (Tighten), then this entity immediately gets enforced (stabilized - taken out of staging). It does not have to wait for "Enforcement Readiness Period” for it to be enforced. Those entities that have not met the Tighten criteria hit the accepted entities, but they are still in staging, and they'll have to be manually enforced.
The 'Track Site Changes’ setting within the policy builder re-runs the Policy Builder automatically when it sees possible changes on the application. Imagine that an existing URL /some/app, there there is URL parameter configured param1. At some point /some/app starts getting param2 instead of param1. This indicates a possible change on the application and they are now using param2 on the URL.
If you are observing the general progress not moving forward soon enough, that is because the entities that have been learned by the Policy Builder have not been enforced (if the progress is at 20%, that means only 20% of the traffic learned by PB has been enforced). For those traffic to be enforced, it must meet the criteria specified in the Tighten settings. I would recommend lowering the values down for 'Stabilize (Tighten)' in order to boost the pace of the general progress bar.
For Stabilize (Tighten) the policy,
1) Navigate to Security ›› Application Security : Policy Building : Settings 2) Select the policy in "Current edited policy" 3) Set "Automatic Policy Building Settings" to "Advanced" 4) Under "Rules" there is a "Stabilize (Tighten)" section to adjust the values for trusted and untrusted traffic.
And go through the below article, this is very helpful. Most importantly, the conclusion.
https://support.f5.com/csp/article/K07359270