NimbostratusHi;
With the Real Traffic policy builder, are all learnt entities placed in staging? if so, what's the deal with loosening and tightening the security policy. My understanding is that there is no staging with the ASM real traffic policy builder.
Kindly Wasfi
EmployeeWith automatic policy building, learned entities are indeed placed into staging until the enforcement readiness period expires. By keeping them in staging, we can reduce the likelihood of false positive violations after the entities have been enforced, because ASM has an accurate profile of each entity and its attributes (think of a file type, its extension, and its byte length.) Loosening and tightening both describe how permissive ASM will be when it handles differences in requests for different entities during the enforcement readiness period. Because you're using the automatic method, loosening and tightening are done for you. Loosening is a policy modification which results in the declaration of traffic as legitimate once the threshold(s) from either a trusted or untrusted IP address have been reached. Let's use a file type such as .jpeg as an example. By accepting a .jpeg file into the security policy, ASM has slightly loosened the overall security stance in terms of controlling which file types will be allowed. Loosening also applies to attack signatures: If trusted traffic triggers any attack signatures, ASM will automatically disable those signatures within the security policy, because any violations are probably false positives. By disabling the signatures, ASM "loosens" some of the security processing that is applied to requests. Policy tightening is the process of deleting wildcards, enforcing entities such as file types, parameters, and URLs, and enforcing those attack signatures which were not triggered during the enforcement readiness period. Let's say that ASM has seen enough requests for six different file types to satisfy the thresholds for a trusted IP address. ASM will automatically accept those file types into the policy and remove them from staging. It will also remove the wildcard for file types. The policy has now been tightened-—a future request for a file type not explicitly allowed in the policy will trigger a violation.
NimbostratusThank you Erik
Wasfi