Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Violation appearing in the event logs but not ASM learning suggestions

Hi,

I've gone through DevCentral so I know similar questions have been asked, but none have the right answer.

When I type this URL: [HTTPS] /en/ty.exe, I get a violation/ support ID for the following:

Detected Violations

Illegal file type [1]

Illegal URL length [1]

Illegal request length [1]

The traffic is quite rightly blocked, but nothing appears within the learning suggestions.

All of the violations are set to learn in the "learning & block settings".

The policy is in manual learning with a

Does everything that appears in the event logs not create a learning suggestion even if you've got it set to do so?

Is this decided by the ASM policy learning speeds? (Fast, enhanced and comprehensive)

Image Text Image Text Image Text

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

In learning page, click on filter / advanced and move the cursor from 5 to 0!

Default learning suggestion under 5% are not displayed!

0
Comments on this Answer
Comment made 4 weeks ago by Frank Nsubuga 163

Hi Stanislas,

I tried that and it wasn't the case.

Looks like they have something in place to not provide learning suggestions for users from certain IPs (works fine for external users). I've checked the IP address exceptions and there's nothing there for their IP.

Any thoughts?

0
Comment made 4 weeks ago by Frank Nsubuga 163

As a note, it's an F5 in Azure.

They copied their ASM policies from a previous Azure F5 running 12.1.1 and they weren't having this issue.

No learning suggestions are generated from their internal IPs, but it can be generated from external ones.

0