I'm sorry to be so dense, Eric Novak, but maybe explaining it in our situation would help. We have the wildcard entity (*) defined for URLs and file types in our base policy for all apps. At some point in the future, we may tighten policy with more specific wildcards or explicit entities, but for now we want them learned for future use. For wildcard URLs, we likely would never go beyond 2nd level directories, probably not past the first level. Right now, we have Learn All Entities set and we have hundreds of learning suggestions with hundreds to thousands of occurrences of some entities. In the URL learning, for example, how would changing it to Selective or Never Learn change the amount of information presented in Traffic Learning?
As a side note, the reason we're looking at this is because attack signature learning is rolling off too quickly leaving us with all zeroes in the Recent Incident and Incident columns even if an attack sig violation occurred the previous day. We theorize that the learning suggestions for the wildcards is causing this info to roll-off even though they are still in local logs (we only log request violations).
Sorry about the delayed response! So "Add All Entities" (which is called "Always" in v13), will result in a learning suggestion for every entity for which a request has been detected in traffic. This means you will see a suggestion to add a URL or other entity explicitly, which means "by name" to your policy. The problem as you've stated is that this can cause quite a bit of work. So we invented "Selective." This means you will not see a suggestion to add an entity explicitly if a request for it has been detected in traffic--unless the request differs from the attributes or violation types that are specified for said entity in its wildcard. My guess is that the number of learning suggestions you will see for URLs using Selective learning mode will be far less than if using Add All Entities. The trick is to make sure that the attributes/violations for the URL wildcard are general enough that they are sensible for all of the URLs in your application. So, when a request for a URL is much different than what is in your wildcard (thus making that URL an outlier), you should see a learning suggestion to add that one, weird URL explicitly to your policy. You can speed up the process by adding URLs you know you don't want clients to access to the disallowed URLs list.
Thanks Eric, think you've done a better job than me at explaining it :-)
Thanks Eric, between your explanation and the one I got from our VAR, I understand it now. Since our attributes are all set to Any (the wildcard default, I believe), I would think Selective and Add All would give the same suggestions?
cdjac0bsen - with Never entities are never learned so all URLs and File Types will match the wildcard and no learning entries will be identified.
With Selective - this is the half way house between Add all entities and Never. Basically, if a violation occurs on a file type and if you deem it to be a false positive, for example, ASM will learn the particular entity and recommend adding this to the policy and making the relevant policy change to allow the false positive. This could be allowing or disallowing a metacharacter, for example. This saves you loosening the policy on the wildcard. So you get less learning entries for selective.
Hope this helps,
When you say "if you deem it to be a false positive", I don't understand that distinction. The ASM doesn't know what I consider to be a false positive when it adds that entity to the Traffic Learning list. Either it adds an entity to that list or it doesn't, right? In the case of URLs it could change the degree of explicitness I suppose. I need a good illustration of how violations will be treated in Traffic Learning between Learn All and Selective.
sorry, you're right ASM won't know. What i mean is, if it is a false positive and you want to add the learning suggestion, rather than enable it on the wildcard, with Selective it will suggest you enable it on the entity itself instead.
Won't Add All suggest you enable it on the entity itself as well? I'm really trying to get at how Add All is different from Selective, especially when it comes to URLs.
Well, the suggestion will be to add the URL by name, regardless of which learning method you use. So it's the "same" suggestion either way. The real question is when you would see the suggestion and why it triggered. Take a look at the violations for URLs on your blocking settings page--they apply to the wildcard as well.