Forum Discussion

dromerot's avatar
dromerot
Icon for Nimbostratus rankNimbostratus
Aug 16, 2020

F5 ASM - Compact Learning

Hi,

 

I have configured a manual policy with the Compact learning for parameters but it doesn't add parameters to the list. However, wildcard parameter is changed with suggestions. I think it's working like Never (Wildcard Only) learning, why?

 

On the other hand, I've read in K74535942 that the policy must include the following:

  • Most commonly used entities
  • Disallowed file types
  • Top-level URLs, such as /abc/*

 

https://support.f5.com/csp/article/K74535942

 

How can I include these requirements in the security policy?

 

Thanks, best regards.

ASM Advanced WAF
security

7 Replies

Sort By
  • Ivan_Chernenkii's avatar
    Ivan_Chernenkii
    Icon for Employee rankEmployee
    Aug 19, 2020

    Hello,

     

    Compact mode doesn't remove pure wildcard parameter, while it adds additional parameter as soon as their score becomes 100%. You can also look at https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-1-0/24.html for more details.

    In general it based on next principle - if you get a lot of traffic with the same parameter, then such parameter will be added to policy as explicit, but if you get a lot of different parameters, then such parameters will be "union" into pure wildcard parameter (pure wildcard parameter will be adjusted to their values).

     

    If your pure wildcard parameter was changed, then this means that you get a lot of different parameters and don't get a lot of traffic with the same parameter.

     

    Thanks, Ivan

     

  • dromerot's avatar
    dromerot
    Icon for Nimbostratus rankNimbostratus
    Aug 21, 2020

    Hi,

     

    I don't understand. I have a security policy with manual learning. Docs say "For Manual learning, the system suggests adding explicit entities that match the * wildcard file type."

     

    However, I only have the * wildcard file type and the * wildcard parameter. The learning method selected for file type and parameters is Compact. There is no other parameter or file type.

     

    Where can I see the score of parameters to know if there has been lots of traffic?

     

    Thanks, best regards.

    • Ivan_Chernenkii's avatar
      Ivan_Chernenkii
      Icon for Employee rankEmployee
      Aug 21, 2020

      Hello,

       

      You can look at https://devcentral.f5.com/s/question/0D51T00007gbt0FSAQ/asm-not-automatic-learning-url-file-type-and-paramater?tag=ASM&page=1. May be it will help you in understanding how learning score counted.

       

      What configuration of "Policy Building Process" on "Security ›› Application Security : Policy Building : Learning and Blocking Settings" do you have?

       

      By default, in Compact mode, you won't see any suggestion for new entities in Traffic Learning until it's score becomes 100%.

      If you want to change default 100% showing threshold, then you can do it via changing value of add_entity_min_score setting in /etc/ts/pabnagd/pabnagd.cfg (don't forget to restart asm after that).

       

      Thanks, Ivan

  • dromerot's avatar
    dromerot
    Icon for Nimbostratus rankNimbostratus
    Aug 24, 2020

    Hi Ivan,

     

    my policy building process were All IP Addresses for Trusted IP Addresses, and 20 different sources, 1 hour and 7 days for Untrusted Traffic. I've changed to an Address List with my IP address for Trusted IP Addresses and I already see suggestions for parameters. Thanks a lot!

     

    However, what is the difference between Compact and Selective mode? Compact mode removes wildcard parameter and Selective mode doesn't remove the wildcard parameter? This is the only difference? When the wildcard parameter is removed? How much time have to pass to remove the wildcard parameter?

     

    Thanks, best regards.

    • Ivan_Chernenkii's avatar
      Ivan_Chernenkii
      Icon for Employee rankEmployee
      Aug 24, 2020

      No, Compact mode shouldn't remove wildcard parameter.

       

      The difference between Selective and Compact mode is that in Selective mode we always add new entity in case of no match with pure wildcard settings, while in Compact mode we add only most common used entities, while for all other entities we try to adjust pure wildcard settings (if possible).

       

      So, e.g. in Selective mode you can get situation when you will see 50 suggestions to add new entities with score 10% (long tail) and 3 suggestions to add new entities with score 100% (most common) in Traffic learning - in such case policy will be changed by adding 3 new entities and no changes for long tail until 100% per each suggestion in it.

       

      For the same case in Compact mode you will see only suggestions to add new entities with score 100% (most common) in Traffic learning , so policy will be changed by adding 3 new entities, but in addition to it, pure wildcard settings can be changed too adjust long tail false positives... e.g. pure wildcard settings will be adjusted in way to resolve 40 from 50 suggestions without any additional false-positives.

       

      Compact mode just provides way to maintain policy with less entities - maintain only most common entities as dedicated entities, while all other entities, which occurs in traffic not so often should be maintained as match with pure wildcard.

       

      Thanks, Ivan