Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP Application Security Manager
  2. Tuning Security Policies: Analyzing and Categorizing Violations

Learning Suggestions in Security Policy Tuning

Learning suggestions are valuable tools for refining and enhancing security policies in BIG-IP ASM/AWAF systems. They are generated based on real traffic and violations detected during the learning phase. The system's goal is to help automate and streamline policy development while ensuring the security posture of web applications is both effective and not overly restrictive.

Here’s a breakdown of the various actions you can take when reviewing learning suggestions:

1. Accept

  • Action: Accepting a learning suggestion means updating the current security policy to incorporate the proposed change.

  • Effect: This stops ASM/AWAF from comparing application traffic to the attack signature for that specific entity or item, effectively accepting it as a legitimate part of your application’s behavior.

  • Use Case: Use this option when you are confident that the learning suggestion is valid and beneficial for the application, such as new URL patterns, parameters, or headers that are legitimate for the application.

2. Delete

  • Action: This option deletes the logged violation but does not update the security policy. The system will continue to generate learning suggestions for this entity.

  • Effect: The suggestion is discarded, and no policy changes are made. The learning process continues to gather suggestions for the same violation.

  • Use Case: Use this when you believe the violation is temporary or irrelevant but do not want to permanently adjust the policy at this stage.

3. Ignore

  • Action: Ignoring a learning suggestion will delete or relax the suggestion, and the item is added to the ignored list. This means learning suggestions will not continue for this entity.

  • Effect: No further learning suggestions are generated for this item, effectively treating the violation as a false positive.

  • Use Case: Use this when you identify a violation as a false positive that should not trigger policy updates, such as a harmless variation in traffic that does not pose any real threat.

4. Export

  • Action: Exporting the learning suggestions creates a report in HTML format that includes all the details of the suggestions.

  • Effect: The report includes full information about the suggestions, including violation types, affected entities, and actions taken. This can be useful for auditing, record-keeping, or sharing with other team members.

  • Use Case: Use this when you want to review, analyze, or document the learning suggestions in detail, or when you need to consult with other team members before making any changes.

Summary of Learning Suggestion Actions

Action
Description
Effect
Use Case

Accept

Accept the suggestion and update the security policy.

Stops comparing traffic to attack signatures for that entity, policy updated.

When you're confident the suggestion is valid.

Delete

Deletes the logged violation but keeps generating suggestions.

No policy change, the learning process continues for this violation.

When you don't want to adjust the policy yet.

Ignore

Deletes/relaxes the suggestion, adding it to the ignored list.

No further learning suggestions generated for this entity, treats it as a false positive.

When the suggestion is a false positive.

Export

Exports the suggestion details in HTML format for review or auditing.

Creates an HTML report with detailed suggestion information.

When you need to document or share suggestions.

Key Considerations:

  • False Positives: If a suggestion is determined to be a false positive, ignoring or deleting it helps avoid unnecessary changes to the policy while maintaining the learning process.

  • Policy Accuracy: Accepting the right learning suggestions ensures that the security policy evolves to accurately reflect the application's legitimate behavior without being overly restrictive.

  • Audit and Compliance: Exporting suggestions can be essential for compliance purposes, keeping records of what has been reviewed and accepted during the policy tuning process.

PreviousTuning Security Policies: Analyzing and Categorizing ViolationsNextPolicy Diff: Comparing and Auditing Security Policies

Last updated 3 months ago