F5 ASM/AWAF – violations logged but no learning suggestions generated
Hey everyone, running into a strange behavior with F5 ASM and hoping someone has seen this before. Setup: - Explicit/closed parameter list (only allowed parameters defined, everything else triggers a violation) - "Illegal Parameter" violation has Learn + Alarm + Block all enabled - Parameter learning mode is set to Always - Violations are appearing correctly in the event logs - no blocked IP addresses exceptions The Problem: Despite all of the above, no learning suggestions are being generated for the illegal parameter violations except one on the Traffic Learning page. What I noticed: After digging through the logs, I found a pattern: - the one request that triggered only the illegal parameter violation (with a valid URL) → learning suggestion WAS generated - Requests that triggered illegal parameter + illegal URL or illegal file type simultaneously → no learning suggestion generated The vast majority of my traffic falls into the second category, which is why the suggestions page looks empty. My question: Is there any documented behavior in ASM/AWAF where requests triggering multiple severe violations (illegal URL + illegal file type + illegal parameter together) are suppressed from generating learning suggestions? Or is something else going on here? Has anyone run into this and found a workaround other than manually adding parameters from the event log? Thanks in advance.
Exced Timeout in Event Logs WAF
I have a issue with a customer WAF, in the Event Logs, it shows me an error in the "triggered violation (I attached a screenshot).", & the request show the status: ilegal. we modify the maximun limitation of 500 to 1000, with recommend F5 docs, and a traffic test was carried out again and the request status is: legal, but the registration of this traffic in Event Logs took a time of 3 minutos, wich is too much. Some recommendation with how resolve? Greetings Friends :),
How to check the disabled rules in ASM Policy
Hi Experts , We would like to know the allowed/disbale url or Parameters configured for the Specific ASM policy . Example: www.example.com is the url for which I would like to know the rules applied . How can I check this? Any way I can pull the detailed configuration of ASM Policy from cli ?
