I have configured an ASM with transparent mode and Enforcement Readiness Period is : 7 Days.
However, i notice after 7 days my F5 learn always traffic.
My question : it's normal to receive a learning traffic after the readiness periode is finished ?
If the policy is in transparent mode (this mode does not change if the enforcement readiness period has ended...) then the policy will not block any request/violation. If the "learn" action is active, the system creates learning suggestions for each violation. If there are some objects in staging, the system creates learning suggestions based on this too (if there related violatons).
Please have a look this article
Thank you for your reply.
However, if enforcement readiness period has ended that mean it's normal to receive a learning suggestions for each violation ?
As long as "Learn" is checked for a violation, you will get suggestions. Whatever you're in Transparent or Blocking mode. In Transparent mode, no request is blocked. In Blocking mode, request will be blocked, exception made for entities in Staging, or Violations without the "Block" case checked.
I hope this make sense to you.
Transparent Mode, Enforcement Readiness period and Learning are 3 related but separate things.
Easy one to start with, Transparent Mode is, essentially, non-Blocking. So irrespective of Enforcement Readiness period or whether a violation has the Block flag checked, traffic won't be blocked if it causes a violation.
Enforcement Readiness (sometimes referred to as Staging period) is that length of time that, irrespective of whether the policy is in Transparent Mode or Blocking Mode, the ASM sees the traffic, classes any violations as non illegal and learns what you may want to enable in the policy, should a violation be a false positive. So, this is a period of learning. Say, for example, you build a new policy and it's set to 7 days, then after 7 days you get the opportunity, with one click, to Enforce Ready i.e. if a violation/attack signature etc. was not triggered during this period you can take them out of staging, essentially meaning that if the policy was in Blocking mode, any further traffic of that nature would be blocked.
Learning is a flag that can be checked per violation type so that, should at a later date a violation occur (in Blocking mode) and Learn is enabled on the violation (see Policy Blocking settings) then ASM makes it easy for you to see why it's blocked and, if a false positive, make the required configuration change to ensure traffic is not blocked again. See Traffic Learning section. You don't necessarily need the Learn flag enabled on a violation but on some of them it may make sense and easier to allow in the future. This is all once the Enforcement Readiness period has expired.
Hope this helps,