Forum Discussion

2funky_105078's avatar
2funky_105078
Icon for Cirrus rankCirrus
Sep 26, 2016

ASM - confusion about Wildcard, Selective, All Entities

Regarding the "Explicit Entities Learning" in ASM 11.6, i am failing to understand "Selective" case.

 

I understood that:

 

  • Wildcard, the policy will include only a *
  • Selective, ???
  • Full Entities, the policy will enforce all entities after all loosing/tightening period.

What about Selective? I am confused what it means and when it is used.... Can you please provide an example?

 

The manual encrypted definition is:

 

Never (wildcard only)Specifies that when false positives occur, the system suggests relaxing the settings of the wildcard. This option results in a security policy that is easy to manage, but is not as strict. If Policy Builder is running, it does not add explicit entities that match a wildcard to the security policy. The wildcard entity remains in the security policy. The Policy Builder changes the attributes of any matched wildcard. If not running, Policy Builder suggests changing the attributes of matched wildcard entities, but does not suggest you add explicit entities that match the wildcard entity.

 

SelectiveApplies only to * wildcard entity. When false positives occur, adds an explicit entity with relaxed settings. This option serves as a good balance between security, policy size, and ease of maintenance. If Policy Builder is running, it adds explicit entities that do not match the attributes of the * wildcard, and does not remove the * wildcard. If Policy Builder is not running, the system suggests adding explicit entities that match the * wildcard. (Option not applicable to Redirection Domains.)

 

Add All EntitiesCreates a comprehensive whitelist policy that includes all web site entities. This option results in a large, more granular configuration with stricter security. If Policy Builder is running, it adds explicit entities that match a wildcard to the security policy. When the security policy is stable, the * wildcard is removed. If Policy Builder is not running, the system suggests adding explicit entities that match the wildcard.

 

ASM Advanced WAF
security
selective
wildcard

2 Replies

Sort By
  • Erik_Novak's avatar
    Erik_Novak
    Icon for Employee rankEmployee
    Sep 26, 2016

    Selective mode is one of the three learning schemes you can configure to build a security policy. The other two are Never (Wildcard Only) and Add All Entities. The idea is to balance the amount of work you will need to do as an admin, especially if you are building a policy manually, with the level of security you want for a specific entity (think file type, parameter, URL). Selective mode offers intermediate protection between Never (Wildcard Only) and Add All Entities. If you use Never (Wildcard Only) you will never see a learning suggestion to add an entity to the policy by name--in other words, explicitly. If you use Add All Entities, you will see a suggestion to add an entity by name. So let's use a parameter named "2funky" as an example. By design, let's say it has a maximum byte length of 130 byte (maybe it is part of search field or some other user input element). 130 bytes is an attribute of that explicit parameter. The security policy will automatically assign attributes to the wildcard parameter as well, let's say it's 124 bytes. Let's say that all the other parameters in the app have a maximum byte length of 50 bytes or less. When a request is made for 2funky, Selective mode will suggest the addition of 2funky explicitly by name to the policy because its attributes are higher than the attribute values specified in the wildcard. This provides you with flexibility to expand a policy if there are irregular entities that need precise protection. In other words, Selective mode is suitable for applications containing entities which use similar or identical attributes--remember we said that all the other parameters are 50 bytes or less. But if some the entities need special handling, the policy can be expanded to include explicit entities just for those special cases. You can always bump up the values specified in the wildcard as well...

     

  • Erik_Novak's avatar
    Erik_Novak
    Icon for Employee rankEmployee
    May 31, 2017

    Hi Sachin, you are correct about the wildcard. However, the recommendation is to not delete the wildcard until you are sure the policy has seen enough traffic. If you are using the automatic method for policy building, you can specify how long the policy builder process must run, and how many requests from X number of IP addresses must be seen. In v13, a new learning method called "Compact" deals with this problem effectively by never removing the wildcard.