ASM learning in transparent questions
Hello Experts
I have configured ASM to learn manually that is enable tightening on wildcard (URL, parameters and file types)
1- If tightening enable on wildcard parameter, url and file types then in order to get the learning suggestion for url, parameters and file types, is it must we to enable learning in violations (illegal file type, illegal url, illegal parameter) as well
2- If staging not enable on learned parameter, url and file types (learned through wildcard) then we will not get the learning suggestion in violation? (like illegal meta character in value or URL etc)
3- In transparent mode, I am getting violations on valid traffic, should I accept all?
4- In transparent mode, I am getting 500+ illegal parameters in violation, should I accept all of them? How to deal with large no of learning suggestions for parameters
Regards,
GR
- What controls learning is the learn flag on the blocking settings page.
- What controls violations is the alarm settings on the blocking settings page.
- What controls blocking is the blocking setting on the blocking settings page.
Given the above, when there is no policy object that permits the access;
- Learning suggestions are reported in manual traffic learning page when the learn setting is set for that violation.
- Violations are reported in logs when the alarm setting is set for that violation.
- Violations are reported when the blocking setting is set for that violation and the policy is in transparent mode.
- Blocking is reported when the blocking setting is set for that violation and the policy is in blocking mode.
Staged entities are policy objects that are not enforceable until they are taken out of staging. Policy objects not in staging are enforceable. For signatures this means they will block malicious behaviour. For policy objects that means they will permit the access specified by the object.