Forum Discussion
24 Replies
- natheCirrocumulus
Event Logs will show you the Violations and you can tune based on these individual requests (as it will show what was violated and on what i.e. parameter x). In my view the traffic learning is a better and more straight-forward way of tuning the ASM policy.
See the following for help: ASM Learning
N
- MSZNimbostratus
Thanks.
Also I am little bit confuse in Staging.
- natheCirrocumulusStaging is another form of learning where an entity's properties are learned too. Whilst staging no violations that would've occurred, if the policy is in Blocking mode, will happen. It's extra safety that false positives won't happen. After staging period, say 7 days by default, you can accept the entity as-is and needing no further tuning.
- MSZNimbostratus
In event logs, please elaborate the function of each like, Block, Illegal request, etc...
- natheCirrocumulushopefully this will help https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-6-0/12.html
- MSZNimbostratus
What are the meaning of the Status in Event logs? and how they behave? Like: Blocked, Illegal, Truncated, Unblock
- Blocked - request is blocked
- Illegal - request is illegal
- Truncated - request is larger then x bytes, only first y bytes are shown (check the SOL for exact values
- Unblocked - request is unblocked
- MSZNimbostratus
Thanks. We don't have to worry about in case of Blocked, Illegal and Truncated. Am I right?
How it can be further tune from the above logs?
im not sure i understand you correctly. what do you mean with tuning? blocked request can be good ones because an attack takes place, but they can also be bad ones because a valid request is blocked.
tuning a policy in my opinion means trying to get rid of the false positives. but you say somewhere else "If event logs show: Blocked, Illegal and truncated requests, then it means our applications are secure and we need to see the violations only."
that isn't really the case, violations result in a block event if the policy is configured like that.
- gsharriAltostratus
Be aware, also, that "Illegal" requests are not blocked by ASM. Illegal simply means that something about the request violates the current policy settings but ASM is not blocking it likely because of staging settings. You need to investigate the illegal requests to see if they are false positives or actual malicious traffic.
- MSZNimbostratus
Thank you so much both of you Scott and Boneyard.
Let me explain further my query.
-
If policy is in blocking mode and signatures are also in Blocking stage, then what will be the meaning of all these events in event logs? Blocked: Illegal Request: Truncated: Unblock:
-
If policy is in blocking mode and signatures are also in Staging stage, then what will be the meaning of all these events in event logs? Blocked: Illegal Request: Truncated: Unblock:
-
- MSZNimbostratus
On the navigation pane:
Security --> Event Logs --> Application --> Requests
Select: Illegal Requests + All Security policies --> Go
A bulk of events come with different marks say
Blocked Request (Red Circle) Illegal Request (Red Flag) Truncated (White Square) Unblock Legal (Green Tick)
The highlighted one with ** means all these are events blocked or this is suggestion to block these events or requests.
Please help in understanding these all notations.