Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP Application Security Manager
  2. Application Security Policy Templates in F5 ASM

Comparison: Enforcement Mode, Learning Mode, and Violation Flags

Understanding the interplay between Enforcement Mode, Learning Mode, and Violation Flags is crucial for configuring and maintaining effective application security policies in ASM/AWAF systems.

1. Enforcement Mode

Purpose: Dictates how the system handles violations against the security policy.

  • Transparent (Staging):

    • Logs requests and violations but does not block traffic.

    • Used during the initial policy-building phase.

  • Blocking:

    • Logs and actively blocks violations.

    • Applies when the policy is considered stable and mature.

2. Learning Mode

Purpose: Defines how the system processes learning suggestions based on observed traffic behavior.

  • Automatic Learning Mode:

    • When the Learning Score reaches 100%, the system accepts and enforces most suggestions automatically.

    • Administrators can still manually review and accept suggestions at any time.

  • Manual Learning Mode:

    • Learning suggestions are generated but require manual acceptance by the administrator, regardless of the Learning Score.

  • Disabled Learning Mode:

    • The system does not generate learning suggestions, and policy adjustments are fully manual.

3. Violation Flags

Purpose: Reflects how the system categorizes and reacts to violations.

  • LEARN:

    • Indicates a violation from which the system can generate learning suggestions to refine the policy.

    • No suggestions are created for violations involving unlearnable issues or errors (e.g., malformed requests or invalid URLs).

  • ALARM:

    • Records and logs violations for monitoring purposes but does not block traffic.

  • BLOCK:

    • Actively blocks violations, provided both the Enforcement Mode is set to Blocking and Entity Enforcement is enabled.

Special Case: Unlearnable Violations

  • Definition: Some violations indicate fundamental problems with the request that cannot be learned or refined.

  • Examples:

    • Malformed or illegal HTTP requests.

    • Unauthorized access attempts.

  • Handling:

    • No learning suggestions are created for such violations.

    • The Violation Rating for these is always 5 (highest severity), signaling an immediate threat.

Key Differences

Feature

Enforcement Mode

Learning Mode

Violation Flags

Scope

Determines if violations are logged or blocked.

Governs how learning suggestions are handled.

Represents the response to a violation.

Focus

Enforcement of policies.

Refining and improving policies.

Reacting to violations.

Interaction

Can be Transparent or Blocking.

Can be Automatic, Manual, or Disabled.

Can trigger LEARN, ALARM, or BLOCK actions.

Operational Summary

  1. Automatic Learning Mode: Smoothly transitions into blocking based on a 100% Learning Score, reducing manual intervention.

  2. Manual Learning Mode: Allows full control over policy adjustments but requires administrative oversight.

  3. Unlearnable Violations: Highlight critical issues requiring immediate attention without contributing to policy refinement.

This system provides flexibility in building, enforcing, and refining application security policies effectively.

PreviousHow to Increase Learning Score / Deployment SpeedNextSecurity Entities in Application Security Policy

Last updated 3 months ago