Manual Chapter :
Refining Security Policies with Learning
Applies To:
Show VersionsBIG-IP ASM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
Refining Security Policies with Learning
About learning
You can use learning resources to help build a security policy, particularly
if you are building a security policy manually. When building a security policy manually, the
learning mode is set to Manual, and when building a policy automatically, the learning mode is
Automatic.
When you send client traffic through the Application Security Manager (ASM), the learning data provides information on requests or
responses that do not comply with the current security policy and have triggered a violation. The
reason for triggering a violation can be either an actual attack on the site, or a false positive
(typically seen during the process of building a policy).
ASM generates learning suggestions
for requests that cause violations and do not pass the security policy checks. The system also
suggests adding legitimate entities such as URLs, file types, or parameters that often appear in
requests. You can examine the requests that cause learning suggestions, and then use the
suggestions to refine the security policy. In some cases, learning suggestions may contain
recommendations to relax the security policy. When dealing with learning suggestions, make sure
to relax the policy only where false positives occurred, and not in cases where a real attack
caused a violation. You can use the violation ratings to help determine how likely a request was
caused by an attack.
If you are generating a security policy automatically, ASM handles much of
the learning for you, adjusting the security policy based on traffic characteristics. In that
case, the learning screens show only the elements that the security policy is in the process of
learning, or those which require manual intervention to be resolved.
About learning
suggestions
Application Security Manager (ASM)
generates learning suggestions for violations if the Learn flag is enabled for the violations on
the Learning and Blocking Settings screen. When the system receives a request that triggers a
violation, the system updates the Traffic Learning screen with learning suggestions using
information from the violating request. From this screen, you can review the learning suggestions
to determine whether the request triggered a legitimate security policy violation, or if the
violation represents a need to update the security policy.
The system can also generate suggestions based on legitimate activity, such
as adding a valid URL or host name to the security policy.
Next to each suggestion, ASM assigns a
learning
score
that measures the strength of the suggestion by showing a percentage that indicates
how close the system is to recommending that you accept the suggestion. The learning score is
also influenced by the violation rating: the lower the rating of the violations, the higher the
score.If the system is working in automatic learning mode, when the learning score
reaches 100%, the system can accept and enforce most of the suggestions. If and when the system
enforces the suggestions depends on which learning mode
auto-apply
setting you have chosen. It is possible to limit auto-apply to specific days and hours.
You can accept suggestions manually at any time. If you are using manual learning, when the
learning score reaches 100% (or before that if you know the suggestions are valid), you need to
accept the suggestions manually.Making decisions about which learning suggestions to accept requires a
general understanding of application security, and specific knowledge of the protected
application (for example, recognizing valid traffic). For example, you should consider accepting
a learning suggestion when you see that it is associated with many requests from many different
source IP addresses. As long as they are valid, repeated requests may indicate legitimate traffic
behavior that warrants relaxing the security policy.
You can also review the violation rating for requests by selecting the
suggestion. Learning suggestions associated with requests having a low average violation rating
are more likely to be false positives and can be accepted. But if a request has a high violation
rating, the learning suggestion should not be accepted. Instead, it should be cleared because it
is most likely indicative of an attack.
The Traffic Learning screen also displays violations for which the system
does not generate learning suggestions. Typically, these violations are related to RFC compliance
and system resources; the resolution for these violations may be to disable the violation rather
than to change the configuration. The system displays these violations along with the learning
suggestions to ease the security policy management tasks.
What suggestions look like
This figure shows the Traffic Learning screen with several suggestions on it. As an example, on
the left, the suggestion to enforce a cookie is highlighted; the information on the right shows
what caused the suggestion. The HTTP violations are listed, and one is selected showing details
about the request. The cookie
PHPAUCTION_SESSION
matched the * wildcard in the
Allowed Cookies list in several requests so the suggestion is to add and enforce the cookie. If
you accept the suggestion, the cookie is added to the Enforced Cookies list.What violations are unlearnable?
Some violations that occur indicate a real problem with a request that cannot be learned. These
are called
unlearnable violations
. For example, requests for access from disallowed
users, disallowed sessions, and disallowed IP addresses are unlearnable. In addition, the system
considers requests that trigger the following HTTP protocol compliance violations to be
unlearnable:- Bad HTTP version
- Unparsable request content
- Null in request
They are considered unlearnable because these violations indicate behavior that is never
acceptable, so the security policy will never be changed to allow them. Consequently, the
violating requests are not used for automatic or manual learning (even if they include
additional violations that could be learned). No learning suggestions are created for requests
containing these violations. Also, the violation rating for these transactions is always set
to 5 (the highest severity).
Configuring how
entities are learned
You can adjust the learning settings for file types, URLs,
parameters, cookies, and redirection domains. Learning settings specify when Real
Traffic Policy Builder adds, or suggests you add, explicit entities to the security
policy.
- On the Main tab, click.The Learning and Blocking Settings screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- On the right side of the Learning and Blocking Settings screen, selectAdvanced.The screen displays the advanced configuration details for policy building.
- In the Policy Building Settings area, click the entity (File Types,URLs,Parameters,Cookies, andRedirection Protection) to show the settings. Then from theLearn Newsetting, select the option that determines which Learning suggestions the system provides (based on real traffic).entityOptionDescriptionNever (wildcard only)Specifies that when false positives occur, the system suggests relaxing the settings of the wildcard. This option results in a security policy that is easy to manage, but is not as strict. If it is running in automatic learning mode, the Policy Builder does not add explicit entities that match a wildcard to the security policy. The wildcard entity remains in the security policy. The Policy Builder changes the attributes of any matched wildcard. If it is running in manual learning mode, Policy Builder suggests changing the attributes of matched wildcard entities, but does not suggest that you add explicit entities that match the wildcard entity.SelectiveApplies only to * wildcard entity. When false positives occur, adds an explicit entity with relaxed settings. This option serves as a good balance between security, policy size, and ease of maintenance. If using automatic learning, the policy includes explicit entities that do not match the attributes of the * wildcard, and does not remove the * wildcard. If usingmanuial learning, the system suggests adding explicit entities that match the * wildcard. (This option is not available for redirection protection.)CompactApplies only to the * wildcard. Specifies that the policy includes the most commonly used entities (while enforcing all others types with a wildcard rule), also provides a pre-populated list of known disallowed file types, and includes top-level URLs such as /abc/*. This option serves as a good balance betweenSelectiveandAlwaysmaking a smaller, more compact policy, with fewer suggestions.When using Automatic learning, the system adds explicit entities that do not exist in the policy but which match the attributes of the * wildcard. The Policy Builder does not remove the * wildcard file type from the security policy. For Manual learning, the system suggests adding explicit entities that match the * wildcard file type. (This option is not available for cookies or redirection protection.)AlwaysCreates a comprehensive whitelist policy that includes all web site entities. This option results in a large, more granular configuration with stricter security. If Policy Builder is running, it adds explicit entities that match a wildcard to the security policy. When the security policy is stable, the * wildcard is removed. If Policy Builder is not running, the system suggests adding explicit entities that match the wildcard. (This option is not available for cookies.)
- ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.
The security policy now learns new file types, parameters, URLs,
cookies, and redirection domains according to the learning settings you
specified.
Learning from responses
When learning to build a policy, you can have the system examine responses as well as
requests for entities to include in the security policy. This is called
learning from responses
, and the system does this by default in
automatic mode. Learning from responses is supported in manual mode but is not
enabled by default. You may want to learn from responses because a response might
include more information about the web application than is found in the request, or
if you want to have the system learn login pages automatically.You can disable this setting in automatic mode if your application does not need to examine
responses for entities to add to the security policy, or if the application does not
use dynamic parameters.
This setting applies only to what entities can be learned from the response
content, such as URLs and parameters. The system does not learn from violations
that occur in responses, such as Data Guard leakage. Learning from violations is
enabled by selecting the Learn flag of the respective violation.
- On the Main tab, click.The Learning and Blocking Settings screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- On the right side of the Learning and Blocking Settings screen, selectAdvanced.The screen displays the advanced configuration details for policy building.
- If you do not want the security policy to include elements found in responses when building the security policy, in the Policy Building Process area, expandOptionsand clear theLearn from responsescheck box.You can also have the system learn only from requests that return specific response codes.If the setting is not enabled, the Policy Builder never learns from responses.
- ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.
If you disabled the
Learn from responses
check box, the Policy
Builder never adds to the security policy elements found in responses. If the check
box is enabled, the Policy Builder adds elements found in valid responses to the
security policy (meaning those that do not generate violations).Learning based on response codes
When using automatic or manual learning, the system learns from legitimate traffic
including transactions that return response codes of 1xx, 2xx, and 3xx. These
classes of codes are added by default to the policy building settings. You can
change which response codes are listed, or add specific response codes, such as
those used by the web application you are protecting.
- On the Main tab, click.The Learning and Blocking Settings screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- On the right side of the Learning and Blocking Settings screen, selectAdvanced.The screen displays the advanced configuration details for policy building.
- In the Policy Building Process area, expandOptions.
- In theAddfield followingHTTP Response Status Codes used to learn traffic, type the response code you want to add (for example, add specific codes like304or a class of codes like4xx), then clickAdd. Use these formats.Response codeDescription1xxAll informational responses (the request was received; continuing to process it). Included by default.2xxAll successful responses (the request was received, understood, accepted, and processed successfully). Included by default.3xxAll redirection (the client needs to take additional action on the request). Included by default.4xxServer failed to fulfill the response as a result of client syntax or input errors.5xxAll server error responses (the server failed to fulfill a request).Specific codes such as100,306,400, or404Refer to your web application or the Hypertext Transfer Protocol -- HTTP/1.1 specification (RFC-2616).
- ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.
The Policy Builder extracts information for the security policy from traffic
transactions that return the specified HTTP response status codes.
Reviewing learning
suggestions
Before you can see learning suggestions on the system, it needs to have had some
traffic sent to it.
After you create a security policy and begin sending traffic to
the application, the system provides learning suggestions concerning additions to
the security policy based on the traffic it sees. For example, you can have users or
testers browse the web application. By analyzing the traffic to and from the
application, Application Security Manager generates learning suggestions or ways to
fine-tune the security policy to better suit the traffic and secure the
application.
This task is primarily for building a security policy manually. If you are using
the automatic learning mode, this task applies to resolving suggestions that require
manual intervention, or for speeding up the enforcement of policy elements.
- On the Main tab, click.The Traffic Learning screen opens, and lists suggestions based on traffic patterns and violations that the system has detected.
- Take a look at the Traffic Learning screen to get familiar with it.With no suggestions selected, the right pane displays sections that facilitate the reviewer decision-making process. These include graphical charts that summarize policy activity, a summary of top violations inReduce Potential False-positive Alerts, an enforcement readiness summary and a summary of suggestions to add new entity or delete an obsolete entity.
- To change the order in which the suggestions are listed, or refine what is included in the list, use the filters at the top of the column. Click the search icon to see basic and advanced filters.
- Review the learning suggestions as follows.
- Select a learning suggestion.Information is displayed about the action the system will take if you accept the suggestion, and what caused the suggestion.
- Select a suggestion to learn more about what caused it by looking at the action, the number of samples it is based on, the violations caused and their violation ratings, and if available, by examining samples of the requests that caused the suggestion.
- Select a request to view data about the request on the right, including any violations it generated, the contents of the request itself, and the response (if any).By examining the requests that caused a suggestion, you can determine whether it should be accepted.
- To add comments about the suggestion and the cause, click the Add Comment icon to the right of the suggestion commands, and type the comments.
- Decide how to respond to the suggestion. You can start with the suggestions that have the highest learning scores, or those which you know to be valid for the application. These are the options.OptionWhat happensAccept SuggestionThe system modifies the policy by taking the suggested action, such as adding an entity that is legitimate. If the entity that triggered the suggestion can be placed in staging (file types, URLs, parameters, cookies, or redirection domains), clickingAccept Suggestiondisplays a second option,Accept suggestionand enable staging on Matched <<entity>>. Click this option to accept the suggestion and place the matched entity in staging.Delete SuggestionThe system removes the learning suggestion, but the suggestion reoccurs if new requests cause it. The learning score of the suggestion starts over from zero in that case.Ignore SuggestionThe system does not change the policy and stops showing this suggestion on the Traffic Learning screen now and in the future. You can view ignored suggestions by filtering by status ignored.If you are working in automatic learning mode, when the learning score reaches 100%, the system can accept most of the suggestions if you selected theLearning Mode Auto-apply Policy, or you can accept suggestions manually at any time. If you are using manual learning, when the learning score reaches 100% (or before that if you know the suggestions are valid), you need to accept the suggestions manually.If you know that a suggestion is valid, you can accept it at any time even before the learning score reaches 100%. The ones that reach 100% have met all the conditions so that they are probably legitimate entities.
- To put the security policy changes into effect immediately, clickApply Policy.
By default, a security policy is put into an enforcement readiness period for seven
days. During that time, you can examine learning suggestions and adjust the security
policy making sure that users can access the application. The security policy then
includes elements unique to your web application.
It is a good idea to periodically review the
learning suggestions on the Traffic Learning screen to determine whether the violations
are legitimate and caused by an attack, or if they are false positives that indicate a
need to update the security policy. Typically, a wide recurrence of violations at some
place in the policy (with a low violation rating and a high learning score) indicates
that they might be false positives, and hence the policy should be changed so that they
will not be triggered anymore. If the violations seem to indicate true attacks (for
example, they have a high violation rating), the policy should stay as is, and you can
review the violations that it triggered.
Viewing requests that caused learning suggestions
To review requests that are related to learning suggestions, you need to have a
security policy that is already handling traffic. If the
Learn
flag is disabled for a violation, you will not see learning suggestions for that
violation. If no violations have occurred, you will only see learning suggestions for
adding legitimate entities to the security policy.Before you process a learning suggestion, it is very helpful to examine the details
of sample requests that caused the learning suggestion. By viewing the requests, you can
determine whether to accept each one, or not. If the suggestion is based on a violation,
you can see whether the violation was caused by an attack, or if it is a false
positive.
- On the Main tab, click.The Traffic Learning screen opens, and lists suggestions based on traffic patterns and violations that the system has detected.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- In the left column, select the learning suggestion that you want to learn more about.Sample requests associated with the suggestions show on the right, with the average violation rating. (Legal requests have no violation rating.)
- Select the request that you want to review more closely.The request details are displayed on the right, including any violations the request generated, the contents of the request itself, and the response (if any).
- Review the information about the request on the General Data tab.If the request caused violations, they are listed at the top. Click the down arrow to examine the violation occurrences and description.The Request Status and a flag highlight requests considered to be illegal. These are the ones you need to examine most closely.
- To examine the request or response itself, clickRequestorResponse.The actual content of the request or response is displayed in the tab.
- On the Traffic Learning screen, continue to review the learning suggestions and associated requests.
When you finish reviewing the requests associated with learning suggestions, you can
accept, delete, or ignore the suggestions.
Viewing and allowing ignored suggestions
If the system is not generating learning suggestions that you would expect to see,
or when suggestions do not appear consistently, you can view learning suggestions that
were previously ignored. You can also change the status of those suggestions so that if
the situation reoccurs, the suggestion will be included on the Traffic Learning
screen.
- On the Main tab, click.The Traffic Learning screen opens, and lists suggestions based on traffic patterns and violations that the system has detected.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- Above the list of suggestions, click the Open Filter icon.The filter popup screen opens.
- In the filter popup screen, clickAdvanced Filter.
- From theStatuslist, selectIgnored.
- ClickApply Filter.Suggestions that were previously ignored are displayed in the list.
- Review the ignored suggestions and decide how to handle them:
- If the suggestion should continue to be ignored, do nothing. Click the Reset Filter (X) above the list to return to the current suggestions.
- If you do not want this suggestion to be ignored in the future, clickDelete Suggestion.
- If you want to implement this previously ignored suggestion, clickAccept Suggestion.
If you delete the suggestion, it is removed from the ignored suggestions list, and it will not be ignored if the conditions that caused it occur again. If you accept the suggestion, the suggested change is made to the security policy, and it is removed from the list of ignored suggestions.
About enforcement readiness
When you are creating a security policy, you specify an enforcement readiness period that
indicates a staging period for entities and attack signatures (typically 7 days). When entities
or attack signatures are in staging, the system does not enforce them. Instead, the system posts
learning suggestions for staged entities.
When the enforcement readiness period is over and no learning suggestions are added for the
staging period duration (the default is 7 days), the file type, URL, parameter, cookie,
signature, or redirection domain is considered ready to be enforced. Particularly if you are
using manual learning, you can delve into the details to see if you want to enforce these
entities in the security policy. From the Enforcement Readiness summary on the Traffic Learning
screen, you can enforce selected entities to the security policy, or you can enforce all of the
entities and signatures that are ready to be enforced. If you are using automatic learning, you
can still enforce entities manually, but the Policy Builder enforces entities according to the
learning and blocking settings. So you do not need to enforce entities in the security
policy.
Enforcing entities
When you create a security policy
and traffic is sent to the web application, the system makes learning suggestions about
files types, URLs, parameters, cookies, and redirection domains to add to the security
policy. You can review the entities and signatures that are ready to be enforced, and
enforce them in the security policy.
This task is primarily
for building a security policy using manual learning. If you are using the automatic
learning mode, the system cab automatically enforce entities in the security policy,
if you selected the
Learning Mode Auto-apply Policy
, when it has
processed sufficient traffic and sessions over enough time, from different IP
addresses, to determine the legitimacy of the file types, URLs, parameters, cookies,
methods, and so on. .- On the Main tab, click.The Enforcement Readiness summary is on the bottom right.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- Below the charts on the right, review the Enforcement Readiness Summary to see if there are entities that are ready to be enforced. If there are, select the entities you want the security policy to enforce, and clickEnforce Ready Entities.If you select this option, you are done with this task. Continue only if you want to enforce selected entities or signatures instead of enforcing all entities ready to be enforced.
- In the Enforcement Readiness Summary, check to see if a number appears in the Not Enforced column.A number greater than zero indicates that entities of that type are in staging, or have wildcard entities configured so that the security policy learns all explicit entities that match them.
- Click the number in the Not Enforced column.The allowed file types, URLs, parameters, cookies, signatures, or redirection protection list opens showing the entities that you can enforce.
- Select the entities you want the security policy to enforce, and clickEnforce.
The system removes the selected entities or signatures from staging, and enforces
them in the security policy. If any of the entities are wildcards that are learning
explicit entities, the system deletes the wildcards.
Exploring security policy action items
Even though you are done creating a security policy, Application
Security Manager (ASM) might have additional action items it recommends for
you to do based on your current system configuration and current security policies.
- On the Main tab, click.The Action Items screen opens.
- Examine the Action Items screen for information about recommended actions that you need to complete.
- Review the Suggested Action Items area, which lists system tasks and security policy tasks that the system recommends.Examples of system-wide action items include updating attack signatures, restarting the system, and setting up synchronization so that all configuration data from this system is duplicated on another system in a device group. Action items related to the security policy include enforcing entities that are ready to be enforced and applying changes previously made to the security policy.
- Click the links in the Suggested Action Items area to go to the screen where you can perform the recommended actions.
- In the Quick Links area, click any of the links to gain access to common configuration and reporting screens.
- If you are using the Automatic Learning Mode, you can see a summary of the policy elements learned in automatic mode for each security policy on the system.
By looking at the recommended Action Items and system reports, you can find out what
additional steps you can take to tighten your security policy.