Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

Objectif of Learning mode in ASM

HoussNet
Altostratus
Altostratus

Hi,
I am new in F5 ASM,

As I think, ASM can block attacks by himself based on many rules and signatures. So my question is what's the objectif of integrated Learning Mode inSecurity Policy ?

Thanks

1 ACCEPTED SOLUTION

@HoussNet , 
If I enable Staging for Attack signature or any of Entities , I Tell F5 ASM " Do not Block traffic violates this attack signature/or matched entity " 

Learning mode is a concept we call it when our service still under testing not on air/or production service for all users , and ofcourse you should enable statging in this mode , to learn traffic without interruption of blocking a legitimate traffic.

you can enable Staging for Entites as way in the process of learning to make F5 not to Block any traffic violates these Entites , and when learning period completes you can enforce " Disable Staging" these Entity , this depends on what the type of learning ( Automatic/Manual) Learning. 

I want to say that Staging is one of 3 ways permits/allows traffic that match any of staged entites or attack signatures. 

I hope you have gotten it now. 
Feel free to reach out with me. 

Regards

_______________________
Regards
Mohamed Kansoh

View solution in original post

5 REPLIES 5

Hi @HoussNet , 
Learning mode in F5 ASM : is only a Concept not an indication that F5 ASM will block or permit malicious traffic. 
F5 ASM blocks/allows traffic based on : 

>Transparent/Blocking mode. 

> "Block" option enabled or not under each item in blocking and learning settings page.

> if there Staged entity or not in statging. 

So F5 takes block action if you configure : 
- policy mode : Blocking
- enable "block" option under needed items/Entities ( File types , urls , Attack signatures , parameters ...etc.)
- disable Staging under needed items ( Attack signature ) or learned Entites ( parameters , filetypes , URLs .... etc and thire Wildcards "*" ) 

F5 Allow traffic if you change Policy mode to be transparent even it was malicious traffic , this for the whole policy and I think this is option that you Call it Learning mode ". 
Also If you are in Blocking mode and disabled "block" option under items/Entities which locate in ( Blocking and learning settings Page ) F5 allows any traffic violates (entities/items) , also if you enabled Stagging under each entity, if do not take a block action against it if you configure your policy in blocking mode .. OK ! 

> I want to say Also F5 can learn entities from traffic in blocking mode , this depend on if you enable "learn" option under each Items/Entites. 

> Read this Article  to find out more about F5 ASM :

 https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/25.h...

your Question is much generic , Please let me know if you have another point of view or clarify more your request.

Regards 

_______________________
Regards
Mohamed Kansoh

Hi @Mohamed_Ahmed_Kansoh 

Thanks for your reply, for me I'm confused between Staged mode and Learning mode.

I will read your shared article

Best Regards

@HoussNet , 
If I enable Staging for Attack signature or any of Entities , I Tell F5 ASM " Do not Block traffic violates this attack signature/or matched entity " 

Learning mode is a concept we call it when our service still under testing not on air/or production service for all users , and ofcourse you should enable statging in this mode , to learn traffic without interruption of blocking a legitimate traffic.

you can enable Staging for Entites as way in the process of learning to make F5 not to Block any traffic violates these Entites , and when learning period completes you can enforce " Disable Staging" these Entity , this depends on what the type of learning ( Automatic/Manual) Learning. 

I want to say that Staging is one of 3 ways permits/allows traffic that match any of staged entites or attack signatures. 

I hope you have gotten it now. 
Feel free to reach out with me. 

Regards

_______________________
Regards
Mohamed Kansoh

HoussNet
Altostratus
Altostratus

Thanks Mohamed to share your knowledge, I think that'a many ideas became clear in my mind.

Best Regards

That's a great news, go on brother.

_______________________
Regards
Mohamed Kansoh