Nimbostratus
CirrocumulusDraco,
In regards attack signatures, staging and enforcement readiness. If an attack signature is in staging it will not block a request which matches the attack pattern. That goes for all entities in staging, irrespective of the policy mode, transparent or blocking.
During the enforcement readiness period ASM will monitor what signatures are triggered, properties of entities (such as parameters), and other violations. If no violations occur for that period then ASM recommends that they can be enforced i.e. taken out of staging. Any violations will now be blocked (if in blocking mode). If violations do occur then as an administrator you have to make a decision on what loosening to perform, if any. If you don't select Enforce then he objects remain in staging.
In regards learning, this is all to do with the violation settings (learn, alarm and block). If a violation occurs and the violation has Learn enabled then the Manual Traffic Learning area of the GUI will identify the entity which triggered the violation. For example, if you received Illegal File Type then it will show the specific file type. However, with URLs, parameters and file types you have to specify the Explicit Entities learning configuration. This can be Never (wildcard), All Entities and Selective. If file type is set to Never then it will never trigger illegal file type. It will with all entities. With selective, it will only learn a new file type of it violates the wildcard properties i.e. URL length. That way you can loosen the policy on a specific file type, rather than on the wildcard.
Hope this helps
N