ASM manual learning mode parameters and URLs

Question

Dear all, I am trying to optimize the ASM security policy by using manual learning mode and have selective all entities. In the parameter list, I can see that it is in learning mode. I am not able to use Automatic policy builder / realtime traffic builder, because the F5 is located on the external public network segment and I dont want to take the risk that it will learn something that it shouldn´t.&nbsp;
&nbsp;
&nbsp;
The strange thing is that there are 4 ASM policies, all for Microsoft IIS server platforms and I only see one parameter that is __viewstate.&nbsp;
Does somenone has an idea why I just dont see any other parameters being learned? If I have a close look at the HTTP POST requests there are several parameters visible, so why aren´t these learned by the F5 ASM? Eventually I want to protect the application at the paramteter level and not only use the wildcard.&nbsp;
Please share your experience I appreciate it!&nbsp;

erik_novak · Answer

Are you sure that the learning mode for parameters is really "Add All Entities" and not "Selective"? It's not clear from your first sentence. If you changed the learning mode for parameters at any point, make sure you clicked Save and Apply Policy. Also, if you view the Learning and Blocking settings page, are the Learn and Alarm checkboxes for "Illegal Parameter" selected? If you have four policies, make sure you are editing the correct one.

Forum Discussion

ASM manual learning mode parameters and URLs

1 Reply

Recent Discussions

iRule help masking IBM host URL/URI

Need advise to setup a policy on F5

Advise on setting up IRULE

Help with URL Masking

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Related Content

Community Learning Path: Multi-Cloud Networking

Cisco ACI Endpoint Learning with a BIG-IP HA Failover

ASM Manual Learning Clarification

Community Learning Path: Web Application and API Protection (WAAP)

Brute Force protection for single parameter like OTP