As I think, ASM can block attacks by himself based on many rules and signatures. So my question is what's the objectif of integrated Learning Mode inSecurity Policy ?
@HoussNet , If I enable Staging for Attack signature or any of Entities , I Tell F5 ASM " Do not Block traffic violates this attack signature/or matched entity "
Learning mode is a concept we call it when our service still under testing not on air/or production service for all users , and ofcourse you should enable statging in this mode , to learn traffic without interruption of blocking a legitimate traffic.
you can enable Staging for Entites as way in the process of learning to make F5 not to Block any traffic violates these Entites , and when learning period completes you can enforce " Disable Staging" these Entity , this depends on what the type of learning ( Automatic/Manual) Learning.
I want to say that Staging is one of 3 ways permits/allows traffic that match any of staged entites or attack signatures.
I hope you have gotten it now. Feel free to reach out with me.
Hi @HoussNet , Learning mode in F5 ASM : is only a Concept not an indication that F5 ASM will block or permit malicious traffic. F5 ASM blocks/allows traffic based on :
>Transparent/Blocking mode.
> "Block" option enabled or not under each item in blocking and learning settings page.
> if there Staged entity or not in statging.
So F5 takes block action if you configure : - policy mode : Blocking - enable "block" option under needed items/Entities ( File types , urls , Attack signatures , parameters ...etc.) - disable Staging under needed items ( Attack signature ) or learned Entites ( parameters , filetypes , URLs .... etc and thire Wildcards "*" )
F5 Allow traffic if you change Policy mode to be transparent even it was malicious traffic , this for the whole policy and I think this is option that you Call it Learning mode ". Also If you are in Blocking mode and disabled "block" option under items/Entities which locate in ( Blocking and learning settings Page ) F5 allows any traffic violates (entities/items) , also if you enabled Stagging under each entity, if do not take a block action against it if you configure your policy in blocking mode .. OK !
> I want to say Also F5 can learn entities from traffic in blocking mode , this depend on if you enable "learn" option under each Items/Entites.
> Read this Article to find out more about F5 ASM :
@HoussNet , If I enable Staging for Attack signature or any of Entities , I Tell F5 ASM " Do not Block traffic violates this attack signature/or matched entity "
Learning mode is a concept we call it when our service still under testing not on air/or production service for all users , and ofcourse you should enable statging in this mode , to learn traffic without interruption of blocking a legitimate traffic.
you can enable Staging for Entites as way in the process of learning to make F5 not to Block any traffic violates these Entites , and when learning period completes you can enforce " Disable Staging" these Entity , this depends on what the type of learning ( Automatic/Manual) Learning.
I want to say that Staging is one of 3 ways permits/allows traffic that match any of staged entites or attack signatures.
I hope you have gotten it now. Feel free to reach out with me.
