Forum Discussion

Basil_Parsley_1's avatar
Basil_Parsley_1
Icon for Nimbostratus rankNimbostratus
Feb 19, 2017

ASM Policy - how is the trusted IP list treated

Guys how are trusted IPs on ASM policices treted RE automatic policy building.

 

Edited from the documentation :

 

"Trusted IPs - Specifies a list of IP addresses that the Policy Builder considers safe, ASM processes traffic from trusted clients differently than traffic from untrusted clients. Trusted clients ; rules are configured so that ASM requires less traffic (by default, only 1 user session) to update the security policy with entity or other changes.

 

It takes more traffic from untrusted clients to change the security policy (for example, if using the default values)".

 

Q Are we saying that the policy builder will not recommend suggestions i.e. violations from any traffic patterns from trusted IPs ; that it will consider all this traffic "good", meaning that the policy would be less likely to create false positives thus acting as a useful risk mitigation.

 

2 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    Basil, yes the policy builder is going to assume all traffic from trusted IPs is good traffic and should be reflected in the policy. On the other side of the coin, with untrusted traffic the builder will want to see a lot of the same traffic patterns from a wide amount of IPs before it considers this as safe.

     

    Hope this helps,

     

    N

     

  • Follow up question (and let me know if this should be a new stand-alone): If Policy Builder notes an IP as Trusted, but the policy is in manual learning mode, does that mean that trusted IP's actions will NOT be automatically learned and potentially change policy? Does the policy need to be in automatic learning in order for trusted IP actions to potentially change the policy? Thanks.