Forum Discussion

draco_184361's avatar
draco_184361
Icon for Nimbostratus rankNimbostratus
Oct 03, 2017

testing and learning f5 asm

I am very confused regarding staging and enforcement.

 

Suppose i built a policy , enforcement readiness is set 1 day. and enable signature staging is set to yes. After one day , when i check and try a script tag, it gets blocked based on policy set under parameter. But all the parameters is still under staging and all the attack signature is under staging. So when enforcement period is over , all parameter ,url etc is still under staging. So any blocking that we see is only because of the policy building -> learning and blocking settings , right ? what do you suggest is the best practice ? learning all url parameters w.r.t to website and posing respective restriction along with the global policy setting ? Inorder to do that, we need to move all the learnt url, parameters to enforced mode right ?

 

Once we move to blocking mode , will it still learn new parameters ? or do we have to change under learning and blocking settings -> under parameters -> learn new parameters-> and set to always ? While doing that option -> newly learnt parameters are automatically given type as ignore value. and not the proper type ie the user-data value. if i change manually , it gives a warning that it will stop automatically giving parameter type to learnt parameters, my question here is will it still learn new parameters once i updated the previously learnt parameter type?

 

Hopefully someone could help me out. Thank you

 

1 Reply

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    Draco,

     

    In regards attack signatures, staging and enforcement readiness. If an attack signature is in staging it will not block a request which matches the attack pattern. That goes for all entities in staging, irrespective of the policy mode, transparent or blocking.

     

    During the enforcement readiness period ASM will monitor what signatures are triggered, properties of entities (such as parameters), and other violations. If no violations occur for that period then ASM recommends that they can be enforced i.e. taken out of staging. Any violations will now be blocked (if in blocking mode). If violations do occur then as an administrator you have to make a decision on what loosening to perform, if any. If you don't select Enforce then he objects remain in staging.

     

    In regards learning, this is all to do with the violation settings (learn, alarm and block). If a violation occurs and the violation has Learn enabled then the Manual Traffic Learning area of the GUI will identify the entity which triggered the violation. For example, if you received Illegal File Type then it will show the specific file type. However, with URLs, parameters and file types you have to specify the Explicit Entities learning configuration. This can be Never (wildcard), All Entities and Selective. If file type is set to Never then it will never trigger illegal file type. It will with all entities. With selective, it will only learn a new file type of it violates the wildcard properties i.e. URL length. That way you can loosen the policy on a specific file type, rather than on the wildcard.

     

    Hope this helps

     

    N