Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Fixed In:
13.1.0
Opened: Nov 24, 2016 Severity: 3-Major
In v12.x, ASM unified manual learning and automatic policy building, which also caused significant changes in the GUI. There were only suggestions in Traffic Learning screen (both for manual and automatic mode). There were no more tables of manual traffic learning showing violating requests, ordered by violations or attack signatures.
In earlier versions, the 'manual traffic learning' feature showed violating requests, ordered by violations, making it possible to learn false positives and improve the policy. It also showed all violations ordered by violations or signature names, instead of the time-based order in the event logs. In later versions, instead of marking those as 'Unknown / Learnable Filetype' or something like 'New Entity Discovered: Filetype XYZ', traffic learning marks those as 'Illegal Filetype/URL <url>', which causes undue concern.
When Policy Builder is enabled in ASM.
None.
Four triage sections were added to the Traffic Learning screen to speed up the traffic learning process: - Reduce Potential False-positive Alerts: Tables for the Top Violations, Top Matched Attack Signatures and Top Violating Meta-Characters. - Enforcement Readiness. - Add New Entities. - Delete Inactive Entities.