Forum Discussion

ghost-rider_124's avatar
ghost-rider_124
Icon for Nimbostratus rankNimbostratus
Feb 25, 2015

F5 ASM Rapid Deployment Learning

Hello Experts

 

After trying many time automatic learning and having bad experience. I am planning to use Rapid deployment (manual policy building). Kindly help me understand below:

 

1- In rapid deployment mode, we will be not able to learn URL, parameter and file types through violations? or wildcard tightening for URL, parameter and file types will learn the URL, parameters and file types and finally we car remove wildcard? Am I right in understanding? 2- How to expedite the learning speed in manual mode? Means how many times, users have to browse the application for proper learning?

 

17 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    ghost-rider,

     

    In essence the Rapid Deployment Template is just a negative security policy with Dataguard and http/cookie RFC protections really.

     

    URL, parameter and file types are not learned/tightened and they just use the wildcard. Of course you can change this but, by default, this is the setting.

     

    For learning speed, unlike Automatic Policy Builder it will Learn everything it sees, if in Policy Blocking Settings the violation is set to Learn e.g. Attack Signatures (but not illegal file type, for example, as the wildcard is in use). You'll see learned suggestions in the Manual Traffic Learning section.

     

    Might I recommend Manual policy building without using a template. This way you can set how you want file types/urls and parameters to be tightened etc... and get a fuller picture of your web app/app security by testing the application.

     

    Hope this helps,

     

    N

     

  • I am sorry for my ignorance. I think, I missed the basic point here. What I want to know is, to populate the allowed URL, parameter and file types, wildcard tightening will do the magic OR enable the learn on violation (illegal URL, file type etc) will give the learning suggestion and by accepting and enforcing will populate the allowed URL, parameter and file types?

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      yes, wildcard tightening will populate individual parameters etc....but you'll need learning on the violation to get the violation in the manual learning. Without learn on the violation it will still suggest the parameter but you'll only see this in the event log.
    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Thanks a lot! Just last thing, normally application guys ask how many times, or how many users for how may days need to browse the application so F5 can learn proper URL, parameters, file types etc. What is your recommendation as per your experience for both manual policy and automatic policy. Appreciated your input
    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      There's a question. Ask the application guys how big their application is. Seriously though, for both if you've got good regression testing and you're a trusted IP (for auto) then that'll help. Difficult for me to say really. With manual I judge it on the Dakar positives disappearing