Forum Discussion

EvilRootSa_2832's avatar
EvilRootSa_2832
Icon for Nimbostratus rankNimbostratus
Oct 06, 2009

Setting up learning in the ASM

Just curious. I am working on enabling learning on my ASM 9.4.4. It might sound Newbish, but what would be the benefit to the learn feature? Would this feature be best to begin building out your security policys on the ASM?

4 Replies

  • Hi,

     

     

    There are probably a few schools of thought on this. F5 is trying to provide automated tools to build a policy (the policy builder). For our customers, we use the Traffic Learning tool and manual policy edits instead as these methods provide fairly granular and specific ways to modify the policy. The automated tools have improved a lot in recent versions, so you might want to give that a try too.

     

     

    The Getting Started guide and the Configuration Guide should give you some background on your options:

     

     

    BIG-IP Application Security Manager: Getting Started Guide

     

    https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_get_start_10.html

     

     

    Configuration Guide for BIG-IP Application Security Management

     

    https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_config_10.html

     

     

    Aaron
  • Thanks Hoolio.

     

     

    We are running 9.4.x. Also, if the ASM module is disabled, isent learning disabled along with it? Can learning be enabled while ASM is disabled?

     

     

  • Learning and blocking are configurable per violation type. You can put all checks in transparent mode or just some checks. If one or more checks are in transparent mode, ASM can still provide learning suggestions without blocking a request or response which triggers the violation.

     

     

    You can configure this per policy under App Security | Policy | Blocking | Settings. Note the three columns on the right: Learn, Alarm and Block. The online help and the ASM Configuration Guide provide additional detail on these options.

     

     

    Aaron
  • Learning feature is great when developing a new policy. For examploe, most of the times you don't get the correct paramater data types from the programmers and learning let you to easily add new exceptions. Also, when blocking non-existing objects, etc.

     

     

    I recommend you to give it a try!

     

     

    Javi.