No Learning Suggestions But could see Violations in the event logs

Question

Hi All,&nbsp;In our environment we are in process of implementing the ASM policies. For few Policies we are not seeing any learning suggestions. But there are legal and illegal requests but no learning suggestios.&nbsp;The learning mode is automatic and learning speed is medium. I double checked that all violations are enabled for learn in learning and blocking settings.&nbsp;The&nbsp;Enforcement Readiness Period is 7 days. After 7 days ony I started looking into the learning suggestions will that be a cause. if so how can i see the current suggestions.&nbsp;Thanks in Advance!&nbsp;&nbsp;

mohamed_ahmed_kansoh · Accepted Answer

Hi&nbsp;karthicksankark&nbsp;,&nbsp;&gt;&gt;&gt; your Q :&nbsp;The&nbsp;Enforcement Readiness Period is 7 days. After 7 days ony I started looking into the learning suggestions will that be a cause. if so how can i see the current suggestions. ?&nbsp;Answer : No , you should see suggestions, and let me explain.&nbsp;First what is the Learning mode that you're using in each Entity ( Entity means &gt;&gt; File types , parameters , URLs ) Learn mode contains ( Never ( Wildcard only ) , selective , Always , and Compact ).&nbsp;If you want to learn everything in your AWAF , you need to modify it to Always , to see suggestion from each request. and make sure you enable ( Learn Check box ) for each entity.Also Make sure to enable learn check box in ( Evasion Technique , http compliance and attack signatures )&nbsp;Till here I answered your Questions of how to get suggestions.&nbsp;For more info about learning modes , Refer to this Article :&nbsp;https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/refining-security-policies-with-learning.htmlSpecially this part :&nbsp;Also Listen to this Video :&nbsp;https://www.youtube.com/watch?v=6Qi6kX6iyJ0After that let me know , if you need anything.&nbsp;I hope that helps you , GoodLuck 🙂&nbsp;

jimsellers · Answer

I personally dont like the automatic learning modes due to the fact that if a hacker or someone meaning to do harm to your system all they need to do if generate enough traffic from different IP addressses and it will automatically be added to your policy.&nbsp; have you checked if alarm and learn are both checked since I have seen learning suggestions not pop when the alarm is not set ? also if you have told ASM in the past to forget about the event it will not show back up.&nbsp;

mohamed_salah_ · Answer

Hello,
since you are using automatic learning mode, that's means when F5 generates a learning suggestion and its score reaches 100%, F5 will automatically accept this suggestion without waiting for your interception. you can check the policy history to check the changes that are made.
Also, there are some violations that are triggered as illegal requests in the event logs but F5 doesn't generate suggestions for them, you can check the below link for this point:
https://my.f5.com/manage/s/article/K17191923
last point, inside the policy building settings (learning and blocking settings), you can change the mode to advanced for "policy building process" and expand the options section. you will find " HTTP Response Status Codes used to learn traffic" and the default values are 1xx 2xx and 3xx. which means F5 will learn and generate a suggestion for these responses only. you can check the response code for the requests in the event logs, and add response codes in this box accordingly to see the suggestions.
&nbsp;
Thanks,
Salah

karthicksankark · Answer

Hi Thanks for the heads up on the risk in the automatic learning mode. Will opt for manual learning mode.

I double checked the entities that have both learn and alarm enabled.

In the logging I have used log illegal requests profile.

Thanks,

Karthick

karthicksankark · Answer

Thanks&nbsp;Mohamed&nbsp;for the detailed information.&nbsp;I afraid to set the learning mode to always. Will it impact on ASM performance ? If not I can make the changed and observe.&nbsp;Thanks,&nbsp;Karthick Sankar&nbsp;

mohamed_ahmed_kansoh · Answer

It's not really that impact,&nbsp;Let we try another thing,&nbsp;First &gt;&gt;&gt; Learning suggestions &gt;&gt; will appear with some samples of traffic that violate the setting of&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ( HTTP Compliance , Evaison Technique and attack signatures ) and Wildcard setting of ( File types , Parameters , URL ).&nbsp;So you sould see learning suggestions , it appears with high number if your change the Learn mode to always that's right.&nbsp;Second &gt;&gt;&gt; Tell me about the Violations that appear to you without learning suggestions , could you please to send the violation name.&nbsp;But again any request violates the ASM policy and blocking settings should appear in suggestions but with some samples of that request not only one sample of it.&nbsp;Third &gt;&gt;&gt; make sure that you haven't selected Compact method in learning mode , make sure it's ( Never , Always or selective )..&nbsp;Try that and tell me.

Forum Discussion

No Learning Suggestions But could see Violations in the event logs

9 Replies

Recent Discussions

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

Related Content

Community Learning Path: Multi-Cloud Networking

Cisco ACI Endpoint Learning with a BIG-IP HA Failover

Community Learning Path: Web Application and API Protection (WAAP)

Violation not ASM learning suggestions

How To learn F5 for beginner