NimbostratusVersion 13.1...Is there a way from the traffic learning page to see the requests that triggered the suggestion before you accept a suggestion? I currently don't see a way to drill in from there. All I see are x no. of request triggered the suggestion, but it does not show the requests. I can go to the event log and dig through those to correlate but that takes some time.
CirrusIf you click the expand button in the upper right and then all details you should be able to see the request and all the information that you need in the learning screen
NimbostratusHey Dave, Thanks for replying. I see a maximize button but that does not give me any more details that I can see. See attached. What am I missing?
NimbostratusActually it looks to me like if the learning score is 100%, it does not show you the details. I have others that have not reached 100% I have all the details for those..
CirrusAre you using automatic or manual learning? I saw the same issue for suggestions that were not at 100% and had the same behavior, not sure what it going on there.
NimbostratusManual. I guess it assumes you don't need to look at details when it is 100% sure :). I suppose in automatic mode they wouldn't even be listed here at all at100%.
CirrusI have an ASM that is also v13.1 and is showing the same behavior but the learning score is on 11%. In fact all requests except for a 403 are not showing anything. See pic
NimbostratusI just checked another and sure enough I have some that are the same way. I wonder if it only shows this for certain suggestions? Either way I opened a ticket and will let you know what they say.
CirrusThanks, I am very interested in finding out what this is.
NimbostratusHeard back from support. These specific examples are just to enable more checking to be able to make an actual recommendation. It sounds like they don't take samples of these types of requests.
AltostratusHi guys,
Traffic learning module has it's limitations. I think it can store 100000 samples across all policies (it used to be like that in v 11.x). So if the samples are gone, they were simply removed because of that limit. So the system shows you there were violations, but they were already removed.
It can be because of 2 reasons.
1 - you are learning many violations - for example "illegal metachar in value" can generate heaps of violations, so that all other violation samples are gone.
2 - there was an attack, maybe a vulnerability scan which again triggered many violations which caused the older samples to be wiped.
Jiri