For 13.1.1 Release... Ideally would like an ASM policy that does NOT attempt to learn legal requests but WILL learn illegal requests. I am receiving learning suggestions for illegal redirection domains and valid host names when the requests are legal. Can I fix this to work as I desire by updating Policy Blocking Settings so that -
1. Redirection Domains - Learn New Redirection Domains set to NEVER and Illegal redirection attempt select Learn?
2. Host Names - Not sure if possible as only a checkbox for Learn Valid Host Names.
PS - If a learning suggestion for a Legal redirection domain is offered, and choose IGNORE Suggestion, I know the suggestion will not be offered again. However, will the redirection domain remain legal?
Unfortunately with ASM there is no global setting that can be set to only learn illegal or only learn legal. Traffic learning works by observing requests over time and determining that it is a "legal request" based on how many times it has seen a request. This can backfire if you see the same malicious request so many times. Now you can manually go into learning and blocking settings and uncheck what you do not want to learn. There is a specific checkbox for illegal redirection attempt near the bottom after headers. Traffic learning will only make changes if the policy is set to automatic and you have learning checked and it has seen enough requests that add up to 100 percent. If you do have all of those settings on and you still hit ignore suggestion this will disable automatic learning for that violation, as well as you not seeing anymore of the suggestions stacking up for that particular violation.
I hope I was clear and answered your question. Let me know if you want further guidance on this issue. If this helped please be sure to Accept this answer and upvote.