Applies To:

Show Versions Show Versions

Manual Chapter: Configuration Guide for BIG-IP® Application Security Management: 8 - Refining the Security Policy Using Learning
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


8

Refining the Security Policy Using Learning


Overview of the Learning process

Once you have created a security policy with the Policy Builder, you can use the learning suggestions generated by the Learning Manager to fine tune the security policy. When you start sending actual client traffic through the Application Security Manager, you can use the Learning data to recognize the expected behavior of the traffic sent to the protected web application. You examine the requests that cause learning suggestions, and then use those learning suggestions to refine the security policy. The result of this refinement process is that the security policy does not prevent legal requests, from legitimate users, from accessing the protected web application.

The Learning process uses the following resources:

  • Learning Manager
    The Learning Manager parses the security policy violations that the Policy Enforcer generates, and generates learning suggestions based on those policy violations. As visitors move through the web application, the Learning Manager captures requests that contradict the current security policy settings, and records the learning suggestions on the Traffic Learning screen.
  • Traffic Learning screen
    The data on the Traffic Learning screen are the learning suggestions that the Learning Manager generates. The learning suggestions are categorized by violation type, and can represent actual threats or false positives. It is important to note that the learning suggestions are based on the currently-active security policy.
  • Ignored Items screen
    The Ignored Items screen lists the object types, objects, and flows that you have instructed the Learning Manager to ignore, that is, to stop generating learning suggestions for. Typically, the ignored items are items that you do not want to be a part of the security policy.

Working with the learning suggestions generated by the Learning Manager

The Learning Manager generates learning suggestions when the Learn flag is enabled for the violations on the Blocking Policy screen. (See Configuring the Learn, Alarm, and Block flags for more information.) When the system receives a request that triggers a violation, the Learning Manager then updates the Traffic Learning screen with learning suggestions based on the violating request information. From this screen, you can review the learning suggestions to determine whether the request triggered a legitimate security policy violation, or the violation represents a need to update the security policy.

To view the learning suggestions

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application properties screen opens.
  3. On the menu bar, click Traffic Learning.
    The Traffic Learning screen opens, where you can review the current learning suggestions, and the number of occurrences for each violation category.

Viewing a specific learning suggestion

On the Traffic Learning screen, the violation types become hyperlinks when the Learning Manager generates a learning suggestion.

To view the details of a learning suggestion

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application properties screen opens.
  3. On the menu bar, click Traffic Learning.
    The Traffic Learning screen opens.
  4. In the Traffic Learning section, click a violation type hyperlink to view the specific elements in the request that triggered the security policy violation and the corresponding learning suggestion.
    The screen refreshes, and the system displays the specific violations that caused the learning suggestions.

Viewing the requests that trigger learning suggestions

You can review the requests that trigger the learning suggestions by examining the occurrences of each learning suggestion.

To view all of the requests that triggered a learning suggestion

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application Properties screen opens.
  3. On the menu bar, click Traffic Learning.
    The Traffic Learning screen opens.
  4. In the Traffic Learning section, click a violation type hyperlink to view the specific elements in the request that triggered the security policy violation and the corresponding learning suggestion.
    The screen refreshes, and the system displays the request elements that caused the learning suggestions.
  5. In the Occurrences column, click the number.
    The requests list screen opens, and displays all of the requests that contained an item that triggered the learning suggestion.

Viewing the details of a specific request

Before you process a learning suggestion, it is very helpful to examine the details of the request that caused the learning suggestion.

To view a specific request that triggered a learning suggestion

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application Properties screen opens.
  3. On the menu bar, click Traffic Learning.
    The Traffic Learning screen opens.
  4. In the Traffic Learning section, click a violation type hyperlink to view the specific elements in the request that triggered the security policy violation and the corresponding learning suggestion.
    The screen refreshes, and the system displays the request elements that caused the learning suggestions.
  5. In the Occurrences column, click the number.
    The List of Requests screen opens, and displays all of the requests that contained an item that triggered the learning suggestion.
  6. On the List of Requests screen, in the Object column, click a requested object.
    The View Full Request Information screen opens, where you can review the details of the request that triggered one or more learning suggestions.

Processing the learning suggestions generated by the Learning Manager

The Learning Manager generates learning suggestions throughout the life of the security policy. When you are refining a new security policy, a majority of the learning suggestions are actually parameters and parameter values, or some other component of the application, that are missing from the security policy. When the Policy Enforcer detects violations for an existing policy, however, the violations may be related to a real attack, and therefore warrant more careful inspection before you accept the corresponding learning suggestions, and update the security policy. In both cases, you should carefully review the request for which the learning suggestion was generated.

Once you have reviewed the learning suggestions (violations) that the Learning Manager records on the Traffic Learning screen, you must decide what to do with them in regard to the security policy. You can do one of three things with the learning suggestion recommendation: accept it, clear it, or reject it.

Accepting a learning suggestion

When you accept a learning suggestion, the system updates one or more of the web application's security policies to accept the request entity that triggered the violation. The system determines which security policies to update based on the Apply Learning To setting for the web application. For more information, see Configuring the target security policy for learning suggestions .

To accept a learning suggestion

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application properties screen opens.
  3. On the menu bar, click Traffic Learning.
    The Traffic Learning screen opens.
  4. Click a violation type hyperlink.
    The learning suggestions properties screen opens. Note that the screens vary depending on the violation.
  5. Select a learning suggestion, and then click Accept.
    The system updates the security policy with the element in the request that caused the learning suggestion.

Clearing a learning suggestion

When you clear a learning suggestion, the system deletes the learning suggestion, and does not update the security policy. The Learning Manager continues to generate learning suggestions for future instances of the violation.

To clear a learning suggestion

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application properties screen opens.
  3. On the menu bar, click Traffic Learning.
    The Traffic Learning screen opens.
  4. Click a violation type hyperlink.
    The violation properties screen opens.
  5. Select a learning suggestion, and then click Clear.
    A Confirm Delete popup screen opens.
  6. Click OK.
    The system deletes the learning suggestion.

Tip


For a description of the violation types, refer to Understanding security policy violations .

Rejecting a learning suggestion

When you reject a learning suggestion, the system deletes the learning suggestion, and updates the Ignored Items list for the security policy. The Learning Manager does not report future instances of the violation. You can reject learning suggestions for the following violation types: illegal object type, non-existent object, illegal object, and illegal flow to object. These violations typically represent object types or web objects that are not part of the security policy, but for which the Learning Manager repeatedly generates learning suggestions.

To reject a learning suggestion

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application properties screen opens.
  3. On the menu bar, click Traffic Learning.
    The Traffic Learning screen opens.
  4. Click a violation type hyperlink.
    The violation properties screen opens. The information on these screens varies depending on the violation type.
  5. Select a learning suggestion, and then click Clear.
    A Confirm Delete popup screen opens.
  6. Check the Reject items from learning? box, and then click OK.
    The system deletes the learning suggestion, and updates the Ignored Items list for the web application. The Learning Manager no longer generates learning suggestions for this security policy violation.

Tip


For more information on the Ignored Items list, see Overview of the Ignored Items screen .

Additional considerations when processing learning suggestions

When you are processing the learning suggestions, we recommend that you process them in the following order. By doing so, you build the security policy in a logical fashion, first adding the object types, and then expanding the information about those object types. As you refine the security policy, the learning suggestions for each violation category should diminish.

  • Illegal object types
  • Length errors
  • Illegal objects
  • Illegal flows
  • Illegal query string or POST data
  • Illegal parameters
  • Illegal parameter values

As the learning suggestions diminish, you can turn on blocking for those violations for which you receive no learning suggestions for several days. The Learning Manager does not generate learning suggestions for all possible violations. As such, we recommend that you review the violations report, in the Forensics information, before you start enabling the blocking mode, to ensure that those violations are not occurring. For more information on enabling the blocking mode, see Configuring the blocking mode .

Important

Use these guidelines only when you are processing learning suggestions generated from known, trustworthy traffic. When you are processing learning suggestions from real client traffic, each learning suggestion or violation must be considered a potential threat.
Important

The Learning Manager does not generate learning suggestions for requests that cause non-existent object violations if the web server sends an HTTP response with status codes in the 4XX or 5XX range.

Overview of the Ignored Items screen

When you reject a learning suggestion for an object, an object type, or a flow, the Application Security Manager adds the rejected item to the Ignored Items list. When the system receives subsequent requests for those rejected items, the system no longer generates learning suggestions related to the rejected items. The system does, however, continue to log the requests in the forensics data, and the security events data, if applicable.

To view the Ignored Items screen

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application properties screen opens.
  3. On the menu bar, click Ignored Items.
    The Ignored Items screen opens, where you can review the ignored items for the web application.

Removing items from the Ignored Items list

If you want the system to start generating learning suggestions for items that you have added to the Ignored Items list, you remove those items from the list.

To remove an item from the Ignored Items list

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application properties screen opens.
  3. On the menu bar, click Ignored Items.
    The Ignored Items screen opens.
  4. In the list that contains the item you want to remove, check the Select box (in the far left column) next to the item, and then click the Clear button below the list.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)