Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Objectif of Learning mode in ASM

HoussNet
Altostratus
Altostratus

Hi,
I am new in F5 ASM,

As I think, ASM can block attacks by himself based on many rules and signatures. So my question is what's the objectif of integrated Learning Mode inSecurity Policy ?

Thanks

1 ACCEPTED SOLUTION

@HoussNet , 
If I enable Staging for Attack signature or any of Entities , I Tell F5 ASM " Do not Block traffic violates this attack signature/or matched entity " 

Learning mode is a concept we call it when our service still under testing not on air/or production service for all users , and ofcourse you should enable statging in this mode , to learn traffic without interruption of blocking a legitimate traffic.

you can enable Staging for Entites as way in the process of learning to make F5 not to Block any traffic violates these Entites , and when learning period completes you can enforce " Disable Staging" these Entity , this depends on what the type of learning ( Automatic/Manual) Learning. 

I want to say that Staging is one of 3 ways permits/allows traffic that match any of staged entites or attack signatures. 

I hope you have gotten it now. 
Feel free to reach out with me. 

Regards

_______________________
Regards
Mohamed Kansoh

View solution in original post

6 REPLIES 6

Hi @HoussNet , 
Learning mode in F5 ASM : is only a Concept not an indication that F5 ASM will block or permit malicious traffic. 
F5 ASM blocks/allows traffic based on : 

>Transparent/Blocking mode. 

> "Block" option enabled or not under each item in blocking and learning settings page.

> if there Staged entity or not in statging. 

So F5 takes block action if you configure : 
- policy mode : Blocking
- enable "block" option under needed items/Entities ( File types , urls , Attack signatures , parameters ...etc.)
- disable Staging under needed items ( Attack signature ) or learned Entites ( parameters , filetypes , URLs .... etc and thire Wildcards "*" ) 

F5 Allow traffic if you change Policy mode to be transparent even it was malicious traffic , this for the whole policy and I think this is option that you Call it Learning mode ". 
Also If you are in Blocking mode and disabled "block" option under items/Entities which locate in ( Blocking and learning settings Page ) F5 allows any traffic violates (entities/items) , also if you enabled Stagging under each entity, if do not take a block action against it if you configure your policy in blocking mode .. OK ! 

> I want to say Also F5 can learn entities from traffic in blocking mode , this depend on if you enable "learn" option under each Items/Entites. 

> Read this Article  to find out more about F5 ASM :

 https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/25.h...

your Question is much generic , Please let me know if you have another point of view or clarify more your request.

Regards 

_______________________
Regards
Mohamed Kansoh

Hi @Mohamed_Ahmed_Kansoh 

Thanks for your reply, for me I'm confused between Staged mode and Learning mode.

I will read your shared article

Best Regards

@HoussNet , 
If I enable Staging for Attack signature or any of Entities , I Tell F5 ASM " Do not Block traffic violates this attack signature/or matched entity " 

Learning mode is a concept we call it when our service still under testing not on air/or production service for all users , and ofcourse you should enable statging in this mode , to learn traffic without interruption of blocking a legitimate traffic.

you can enable Staging for Entites as way in the process of learning to make F5 not to Block any traffic violates these Entites , and when learning period completes you can enforce " Disable Staging" these Entity , this depends on what the type of learning ( Automatic/Manual) Learning. 

I want to say that Staging is one of 3 ways permits/allows traffic that match any of staged entites or attack signatures. 

I hope you have gotten it now. 
Feel free to reach out with me. 

Regards

_______________________
Regards
Mohamed Kansoh

HoussNet
Altostratus
Altostratus

Thanks Mohamed to share your knowledge, I think that'a many ideas became clear in my mind.

Best Regards

That's a great news, go on brother.

_______________________
Regards
Mohamed Kansoh

SandraDuffy
Nimbostratus
Nimbostratus

Realistic policies must be created and based on the environment of your organization. Create a backup timetable that works for your agency's needs and workload in any circumstance.

Realistic policies must be created and based on the environment of your organization. Create a backup timetable that works for your agency's needs and workload in any circumstance. I like researching sports history. I searched for an article about that and found this one: https://www.austadiums.com/news/1013/the-biggest-australian-sport-controversies. It gave comprehensive information on the biggest Australian sport controversies. If you're looking for the same information, this post is your best option. You can deepen your understanding by applying the knowledge in this post.