How To: Policy Builder learning suggestion and entity management

You can view and manage Policy Builder’s ongoing evaluation of legitimate application usage and recommendations to tighten, loosen, or stabilize your WAF security policy. Ensure that you have customized your Policy Builder learning settings. See Policy Builder Settings.

When evaluating Policy Builder’s suggestions you can review the status of the policy refinement process, or manually manage security suggestions based on known security requirements. You can do this by either accepting/ignoring learning suggestions, or managing policy entities that are in staging:

Learning Suggestions - Displays learning suggestions for changes to the security policy that the system generates. By selecting a suggestion, you can find out more about it including any violations that caused it and associated requests (up to 100) that triggered the suggestion. The suggestions are listed by pending suggestions, by default, but the list can be refined based on the learning status. The suggestions may relate to actual threats, false-positives, or legitimate additions to the security policy. When you accept a learning suggestion, you are updating the security policy. Alternatively, you can ignore or delete suggestions. See Manually manage learning suggestions.

Note: Changes to your policy are only active once they are deployed to the BIG-IP Next instance. You can deploy changes immediately after you manually accept suggestions, or save your changes and deploy later. For automatic policy building, you manually deploy Policy Builder changes.

Enforcement Readiness - Summarizes the security policy entities in staging or with learn explicit entities enabled, that may have learning suggestions, and may be ready to be enforced. For file types, parameters, URLs, cookies, and signatures, you can review the entities, and decide whether to enforce them in the security policy. You can approve entities that are ready to be enforced. These entities are then are included in the policy and start to take effect on the traffic security. See Enforcing staged entities.

Manually manage learning suggestions

Use the following procedure to manually manage learning suggestions for a selected policy.

Note: If you are working in automatic learning mode, when the learning score reaches 100%, the system accepts most of the suggestions, or you can accept suggestions manually at any time. If you are using manual learning, when the learning score reaches 100% (or before that if you know the suggestions are valid), you need to accept the suggestions manually. If you know that a suggestion is valid, you can accept it at any time even before the learning score reaches 100%. The ones that reach 100% have met all the conditions so that they are probably legitimate entities.

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click WAF.

  3. Click the policy name.

  4. From the policy’s panel menu, select Policy Builder. The Policy Builder panel automatically displays the Learning Suggestions.

  5. Select the suggested action:

    Note: If you already know the suggestion action, you can click the suggestion’s check box and select an action.

    1. From the suggestion panel you can review the details of the suggestion, including the policy refinement, description, and affected entity.

    2. From the Samples list, you can select a traffic sample to view additional request details in a separate panel.

    3. Select an action:

      • Accept - Accepts a suggestion and adds it to the policy entity.

      • Accept & Stage - Accepts this suggestion and adds it to the policy entity in staging mode. (Not always available)

      • Accept Globally - Accepts a suggestion and adds it globally to the policy. (Not always available)

      • Delete - Removes the learning suggestion from the list, but Policy Builder will suggestion this action if detected again in traffic.

      • Ignore - Removes the learning suggestion and Policy Builder will no longer suggest this action if detected again in traffic.

  6. Click Save to save your changes without deploying to the policy’s BIG-IP Next instances.

    Note: Any changes to your policy are now saved. You are not required to immediately deploy these changes.

  7. Click Deploy to deploy your changes to the policy’s BIG-IP Next instances.

Enforcing staged entities

When you create a security policy and traffic is sent to the web application, the system makes learning suggestions about files types, URLs, parameters, cookies, and redirection domains to add to the security policy. You can review the entities and signatures that are ready to be enforced, and enforce them in the security policy.

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click WAF.

  3. Click the policy name.

  4. From the policy’s panel menu, select Policy Builder. The Policy Builder panel automatically displays the Learning Suggestions.

  5. Select the Enforcement Readiness tab.

  6. Click Refresh to ensure you are viewing the most up-to-date statuses.

  7. Click the check box next to one or more entity types. Ensure that you are selecting entities types that have one or more entities ready to be enforced. Entities under Ready to be Enforced completed the configured staging period and are eligible to become enforced according to your policy configuration.

  8. Click Enforce Ready Entities.

  9. Click Save to save your changes without deploying to the policy’s BIG-IP Next instances.

    Note: Any changes to your policy are now saved. You are not required to immediately deploy these changes.

  10. Click Deploy to deploy your changes to the policy’s BIG-IP Next instances.