Forum Discussion

Check1t_282465's avatar
Check1t_282465
Icon for Nimbostratus rankNimbostratus
Mar 19, 2018

Automatic Policy Building Learning limitations

I created a policy and selected Fundamental attributes, learning Speed Medium. After creating, confirmed learning mode automatic and switched Enforcement from Blocking to Transparent. After saving, Policy type switched to Custom. I then added Trusted IP in IP Address exceptions (only checked trusted ip in checkboxes). I then connected to appliation with trusted IP and performed a number of actions. After logging off, checked F5. Found a) Changes to policy appear in audit log (parameters, file types, etc) b) I triggered 410 response, but still flagged as illegal response. Are response codes not part of learning?

 

c) There are a number of Suggestions submitted for Evasion Techniques HTTP protocol compliance recommend blcoking be turned on. To be expected? d) Changes not yet applied. Is this typical, or should the policy learning been automatically applied? Is this dependent on whether the Policy Type is custom or not?

 

For Version BIG-IP 12.1.2 Build 2.119.276 Engineering Hotfix HF2

 

ASM Advanced WAF
security

1 Reply

Sort By
  • Erik_Novak's avatar
    Erik_Novak
    Icon for Employee rankEmployee
    Mar 20, 2018

    b. Yes, response codes are part of learning, meaning you should see a learning suggestion for the 410. It is flagged as "Illegal" because 410 is not allowed by default when you use the Fundamental policy. You can add 410 via the security policy properties screen, or accept the suggestion--which should be to add it as an allowed response code. Because the request which resulted in the 410 came from a trusted IP address, this code will be allowed automatically after the staging period expires. Until then, you will see suggestions for it.

     

    c. Yes these are expected. The Fundamental template includes multiple HTTP RFC compliance checks. By default, the automatic policy you created was in blocking mode, but you changed it to transparent (not a bad thing) so the suggestion is to turn on blocking. You can also disable the "learn" or "block" checkbox for these violations (and any violation) if it makes sense for your app.

     

    d. Changes will be applied automatically AFTER the learning period has expired. Even for trusted IP addresses, there are still metrics involving how many requests need to be sent before changes will be applied. You can see these metrics in the policy building section of the learning and blocking page.