I use F5-ASM, and it learning from my traffic now, but as I saw it catch only low severty rules.
Has any options in F5-ASM to set all high/medium severity rules to block state without traffic learning?
Did anyone something like this?
Not sure if we are talking about same thing, but in ASM you have both "Attack Signatures" and "Violations". If the problem is with the "Attack Signatures" then you can modify your ASM policy to trig only on following "Attack Signatures" categories :
Signature Set Name :
High Accuracy Signatures
Medium Accuracy Signatures
To do this you have to go to "Security ›› Application Security : Policy Building : Learning and Blocking Settings" under "Attack Signatures" click on the "Change" button and replace the existing by above categories.
Sorry, Attack Signatures.
So I would like to block all high/medium attack signatures without traffic learning.
It will solve it?
Exactly if you want to limit false positives, you may select only medium and high accuracy attack signatures.
Once the learning period is end, you will need to make two steps to make you policy in blocking mode :
first, you have to enforce "Attack Signatures" entity (which mean that you will pass it from Staging to Enforced state)
second, you need to switch the ASM policy from "Transparent" to "Blocking" mode
Hope it helps