"Have Suggestions" Vs "Ready To Be Enforced"
Hi, I am hoping to clarify my understanding of the 2 categories, "Have Suggestions" and "Ready to be Enforced" on the Enforcement Readiness page for an ASM policy. My thoughts at this stage are that those in "Ready to be Enforced" have not been triggered for the defined period of time and as a result should be able to be enforced with very little likelihood of causing an issue for real traffic. What appears in the "Have Suggestions" category has triggered alarms and each of these items should be individually reviewed to ensure it is a false positive or normal application behaviour (in this case Disable) or if the attempt is malicious that ensure that the rule is enforced. Any clarification of this information would be greatly appreciated. I have a policy with hundreds of 'Ready to Enforced' items and I want to enforce all however I am concerned that my understanding may be incorrect and that this could cause an issue if I enforce these items on the ASM policy. Thank you in advance.
F5 ASM/AWAF – violations logged but no learning suggestions generated
Hey everyone, running into a strange behavior with F5 ASM and hoping someone has seen this before. Setup: - Explicit/closed parameter list (only allowed parameters defined, everything else triggers a violation) - "Illegal Parameter" violation has Learn + Alarm + Block all enabled - Parameter learning mode is set to Always - Violations are appearing correctly in the event logs - no blocked IP addresses exceptions The Problem: Despite all of the above, no learning suggestions are being generated for the illegal parameter violations except one on the Traffic Learning page. What I noticed: After digging through the logs, I found a pattern: - the one request that triggered only the illegal parameter violation (with a valid URL) → learning suggestion WAS generated - Requests that triggered illegal parameter + illegal URL or illegal file type simultaneously → no learning suggestion generated The vast majority of my traffic falls into the second category, which is why the suggestions page looks empty. My question: Is there any documented behavior in ASM/AWAF where requests triggering multiple severe violations (illegal URL + illegal file type + illegal parameter together) are suppressed from generating learning suggestions? Or is something else going on here? Has anyone run into this and found a workaround other than manually adding parameters from the event log? Thanks in advance.