Forum Discussion

aquispe17_31055's avatar
aquispe17_31055
Icon for Nimbostratus rankNimbostratus
Sep 04, 2018

ASM on Mode Transparent (Learning) doesnt learn some parameters

Hi guys I have applied ASM on transparent mode and traffic learning. I am protecting a website based on Wordpress. When the user's administrators do click over different menus, the F5 trigger some event logs of type "Abuse of Functionality" especifically Illegal parameters : action=query-attachments&post_id=0&query[orderby]=date&query[order]=DESC&query[posts_per_page]=40&query[paged]=2.

 

F5 tell me for example that "query[posts_per_page]" is an illegal parameter but this is a false positive because this query executed over POST DATA is legal. The event shows Applied Blockign Setting : "Learn and Alarm". When i go to section TRAFFIC LEARNING in the list of parameters learned dont appear the characters before mentioned- WHY?? I accepted all requests generated but this traffic doesn't learned. why? If i change the policy from Transparent to Block inmediatly the traffic starts to get blocked then i have to revert the change because of this is a false positive. How can i do to allow this traffic without i have that modify manually the parameters ? why the F5 doesn´t learn this parmeters automatically during learning period??

 

application delivery
ASM Advanced WAF
LTM
security

4 Replies

Sort By
  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Sep 05, 2018

    How about if you manually add the parameter if you already know what it is? You may find that this is rejected due to the brackets so you might want to add that metacharacter as a first step.

     

  • aquispe17_31055's avatar
    aquispe17_31055
    Icon for Nimbostratus rankNimbostratus
    Sep 05, 2018

    Hi Pete The bracket are allowed in the policy, i did this change two days ago but the traffic is blocked yet.

     

    I probed to add the parameter manually and works but i had to add each parameter one by one and the alerts are very dynamic depending on where you click on the menu. For example, in the field POST Data there is a parameter "interval=60". The illegal event shows "alarm and learn". I don't understand why in the section Traffic Learning, the learning of this parameter does not appear.

     

  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Sep 05, 2018

    I don't understand what you mean by "the alerts are very dynamic depending on where you click on the menu".

     

    Have you set 'Unknown parameter' to be Learn and Alarm? I suspect that you are getting confused between different violations. To build a policy automatically, you need to send lots of valid data through the policy. Otherwise, you can manually create the policy using Learning Suggestions. These work with the blocking mask and the entities to create the ASM policy.