TTechclick ⚡ XP 0% All lessons
F5 · BIG-IP ASM · Troubleshooting & TuningInteractive · L1 / L2 / L3

Tuning ASM: False Positives, Suggestions & Going to Blocking

A new auto-rickshaw driver runs a full week with the meter off — learning every route — before he charges a real passenger. Your F5 BIG-IP Advanced WAF (formerly ASM) policy works the same way. It rides along in Transparent mode, watches real traffic, and posts Traffic Learning suggestions. This capstone shows you how to read those suggestions, use violation rating and learning score to split false positives from real attacks, accept the safe ones, clear the dangerous ones — and flip the meter to Blocking only when you won't strand a real customer.

📅 2026-06-02 · ⏱ 11 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Tune F5 BIG-IP Advanced WAF (ASM) with confidence — read Traffic Learning suggestions, use violation rating + learning score to separate false positives from real attacks, accept vs clear suggestions, and flip Enforcement Mode from Transparent to Blocking only when Enforcement Readiness is clean. 11 min.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

The Tuning Loop

Why Transparent first, what Traffic Learning suggestions are, and the read-tune-recheck cycle.

 2

Rating vs Score

Violation rating 1–5 (attack-ness) vs learning score % (confidence). The two-axis decision.

 3

Accept / Clear / Ignore

What each button does, per-entity vs per-signature enforcement, and Enforcement Readiness.

 4

The Final Flip

Transparent → Blocking only when Readiness is clean. The don't-block-legit-customers playbook.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. A suggestion has a low violation rating (1) and a high learning score (95%). What is the policy probably telling you?

Answered in Path 2 — Rating vs Score. (Spoiler: low rating + high score = accept.)

2. You're ready to start protecting an app but terrified of blocking real users. Which Enforcement Mode do you pick first?

Answered in Path 1 — The Tuning Loop.

3. The Traffic Learning screen shows Enforcement Readiness = 0 entities/signatures not ready. What does that mean for going live?

Answered in Path 3 — Accept / Clear / Ignore. Readiness clean = the green light.

Most engineers think…

"The policy is built and the signatures are loaded — so I just flip it to Blocking and we're protected."

Wrong — and that one instinct is how Advanced WAF gets switched off in week one. Flip straight to Blocking and the WAF blocks the things it never learned were legitimate: a long base64 cookie, a JSON body with HTML in it, a parameter your devs added last sprint. Real customers hit a block page, the business escalates, and someone disables the policy "until it's fixed". Tuning is the job — not building. This capstone is the judgement layer on top of everything you already learned: read the Traffic Learning suggestions, separate false positives from attacks, accept the safe ones, and flip to Blocking only when it's safe.

① The tuning loop — and why you start in Transparent

Picture a new auto-rickshaw driver. Week one, he drives every route with the meter off — no charge, no risk. He learns which "wrong turns" were actually shortcuts. Only when he's driven every road does he switch the meter on. Your Advanced WAF policy does exactly this. It starts in Transparent mode: it watches real traffic, flags violations, but blocks nothing.

As traffic flows, the Policy Builder posts learning suggestions on Security ▸ Application Security ▸ Policy Building ▸ Traffic Learning. Each one is the WAF saying "I saw this — do you want me to add it, relax it, or start enforcing it?" Your loop is simple and you repeat it daily: read suggestions → decide (accept / clear) → re-check Enforcement Readiness → repeat. When the screen goes quiet and Readiness is clean, you flip to Blocking. That is the whole capstone.

👉 So far: Transparent = meter off, learn the routes; Blocking = meter on. The Traffic Learning screen is where you read the routes. Next, see the full loop on the egress path.
Figure 1 — The Advanced WAF tuning loop (Transparent → tune → Blocking)
A cyclic diagram. Untrusted client traffic enters the BIG-IP, which runs the security policy in Transparent mode so it detects and logs but blocks nothing. The Policy Builder posts learning suggestions on the Traffic Learning screen. The engineer reads each suggestion, accepts false positives and clears attacks, then re-checks Enforcement Readiness. The loop repeats until Enforcement Readiness is zero not-ready, which is the green light to flip Enforcement Mode to Blocking, after which real attacks are blocked while legitimate traffic still passes. You don't build once and flip — you ride the loop until it's safe Untrusted / attack Trusted / inspected Decision / tuning The "aha" Real traffic users + attackers 203.0.113.7 … BIG-IP Advanced WAF Enforcement Mode: TRANSPARENT detect + log · block nothing Policy Builder posts Traffic Learning suggestions You read each suggestion → violation rating + learning score Accept false positives · Clear real attacks · re-check Enforcement Readiness repeat the loop daily until the screen goes quiet tuning loop Enforcement Readiness = 0 not ready staging passed · no new suggestions ← THE green light Flip → BLOCKING attacks blocked, legit passes Cert anchor 303 — BIG-IP ASM Specialist 90 min · 80 Q · pass 245/350 Golden rule: never flip to Blocking from the build screen. Flip only when Enforcement Readiness is clean.
Build once, tune many times. The loop — read, decide, re-check — is the job. Blocking is the reward at the end, not the start.

Sneha at Infosys faces this

Sneha built a brand-new policy for an internal HR app on Friday and flipped it to Blocking before the weekend "to be safe". Monday morning, managers can't approve leave — the app throws block pages.

Likely cause

She skipped the loop. With zero learning time in Transparent, the WAF never learned the app's legitimate URLs, parameters and long session cookies — so in Blocking it treats them as violations.

Diagnosis

Read what's being blocked, then read the suggestions for those same entities.

Security ▸ Application Security ▸ Policy Building ▸ Traffic Learning
Fix

Set Enforcement Mode = Transparent, let the Policy Builder learn for the Enforcement Readiness Period (default 7 days), accept the legitimate-entity suggestions, then flip back to Blocking.

Verify

Re-test the leave-approval flow in Transparent: it triggers a learning suggestion (not a block). After accepting, Enforcement Readiness drops to clean for those entities.

▶ Watch the tuning loop — then watch the day-one Blocking mistake

Rahul at TCS brings a new policy live. Press Play for the safe loop, then Break it to see what flipping to Blocking on day one does to real users.

① TRANSPARENTPolicy goes live in Transparent — it detects and logs, blocks nothing
② LEARNPolicy Builder posts Traffic Learning suggestions for entities + violations it sees
③ TUNERahul accepts false positives, clears attacks, re-checks Enforcement Readiness
④ FLIPReadiness clean → flip Transparent → Blocking, attacks blocked, legit passes
Press Play to step through the safe tuning loop. Then press Break it.
Quick check · Q1 of 10

You bring a brand-new Advanced WAF policy live for a production app. What Enforcement Mode should it run in first?

Correct: b. Transparent is the "meter off" phase — the WAF learns the app's legitimate entities and posts suggestions without blocking anyone. Flip to Blocking only after tuning and a clean Enforcement Readiness. Going straight to Blocking (a) is exactly how a WAF gets disabled by an angry business unit on day one.

Pause & Predict

Two suggestions appear. One says "a parameter order_notes contains HTML" with rating 1; another says "SQL injection in the id parameter" with rating 5. Which one do you accept and which do you clear — and why? Type your guess.

Answer: Accept the rating-1 one — a low violation rating means "most likely a false positive", so you teach the policy that order_notes legitimately carries markup. Clear the rating-5 one — a high rating means "most likely a real attack", and accepting it would whitelist the attacker's payload. Rating tells you attack-ness; that's exactly Path 2.

② Violation rating vs learning score — the two-axis decision

This is the single skill that separates a junior who panics at every suggestion from an engineer who clears a Traffic Learning screen in ten minutes. Every suggestion gives you two numbers. Read them together and the decision makes itself.

The violation rating answers "how attack-like is this?" It is a 1-to-5 score the WAF assigns to the whole transaction — not one violation — by weighing the combination of violations and their business impact. The learning score answers a different question: "how confident am I?" It is a percentage that rises as the WAF sees the same thing from more sources, more sessions, over more time. At 100% the Policy Builder is ready to recommend you accept.

Read the official guidance straight from F5: a violation rating of 1 means "most likely a false positive — consider accepting", 3 means "needs examination", and 5 means "most likely a threat — consider clearing any learning suggestions associated with it". So the two axes give you a grid: low rating + high score = accept (a real false positive, seen often); high rating = clear (don't whitelist an attacker, no matter how often you saw them).

Pro tip — rating is about the request, score is about you

Don't confuse the two. Violation rating grades the traffic (is this an attack?). Learning score grades the policy's confidence (have I seen enough to be sure?). A rating-5 request can hit 100% learning score and you should still clear it — high confidence that something is a real attack is the opposite of a reason to accept it. This is the row examiners love on the 303 — BIG-IP ASM Specialist exam.

👉 So far: rating = attack-ness (1–5), score = confidence (%). Low rating + high score = accept; high rating = clear. Next, see the grid that turns those two numbers into one decision.
Figure 2 — The decision grid: violation rating × learning score
A two-by-two decision grid. The vertical axis is violation rating from low at the bottom to high at the top. The horizontal axis is learning score from low confidence on the left to high confidence on the right. Bottom-right, low rating and high score, is the green Accept zone for genuine false positives seen often. The whole top row, high rating, is the red Clear zone for real attacks regardless of confidence. The middle, rating around three, is the amber Examine zone where you open the request and judge. A lime aha note states that rating decides accept or clear, while score only tells you how soon to act. Two numbers, one decision — read the grid, not your gut Violation rating (attack-ness) Learning score (confidence) → 5 high 1 low RATING 4–5 → CLEAR (don't whitelist an attack) A high rating means "most likely a real attack." Accepting it would teach the WAF to allow the exploit. High learning score here just means you've seen the attacker a lot — still clear. RATING 3 → EXAMINE Open the request. Read the parameter, the value, the source. Then decide accept or clear by hand. LOW rating · LOW score Probably a false positive, but not seen enough → let it ripen LOW rating · HIGH score Genuine false positive, seen often → ACCEPT the suggestion The aha: RATING decides accept-or-clear. SCORE only tells you how soon to act. F5 guidance: rating 1 = likely false positive · 3 = examine · 5 = likely threat (clear)
Rating runs up the side, score runs along the bottom. Stay green for false positives, never accept anything in the red top row — that's the whole judgement.

Priya at Flipkart faces this

Priya sees 400 "Illegal meta character in parameter" suggestions on the checkout app, all rating 1, learning score climbing past 90%. The SOC wants her to clear them all "to be safe".

Likely cause

Legitimate behaviour. The delivery_note field accepts commas, apostrophes and ampersands — characters the WAF flags by default. Rating 1 + high score = a real false positive, seen widely.

DiagnosisSecurity ▸ Application Security ▸ Policy Building ▸ Traffic Learning → sort by Violation Rating ascending
Fix

Accept the suggestion — it relaxes the meta-character check for that parameter. Clearing them (the SOC's instinct) would just make the same false positives reappear tomorrow, never fixing the noise.

Verify

Re-run a real checkout: no new suggestion for delivery_note. Enforcement Readiness for that parameter goes clean. A genuine SQLi attempt still rates 5 and stays in the clear pile.

How the Security Policy Was Built (#2) Positive Security & Learning (#3)
Quick check · Q2 of 10

A suggestion shows violation rating 5 and learning score 100%. What should you do?

Correct: c. Rating drives the accept/clear decision; score only tells you how confident the WAF is that it has seen this enough. A rating of 5 = "most likely a threat — clear any learning suggestions associated with it" (F5's exact wording). A 100% learning score here just means the attacker has hit you a lot — never a reason to accept.

Pause & Predict

There are three buttons on a suggestion: Accept, Delete and Ignore. You clear (Delete) a false-positive suggestion to tidy the screen. Tomorrow the same suggestion is back. Why — and which button would have stopped it returning? Type your guess.

Answer: Delete only removes the suggestion now — if the same traffic recurs, the WAF generates it again. Accept changes the policy so the entity is learned and the suggestion stops. Ignore tells the Policy Builder to stop showing this specific suggestion permanently without changing the policy. For a genuine false positive you want Accept, not Delete. That's exactly Path 3.

③ Accept, Delete, Ignore — and per-entity vs per-signature

You've judged the suggestion. Now you act. The Traffic Learning screen gives you three buttons, and each does something different to the policy.

The three buttons (exact labels)

Analogy: Accept is "fix the pothole". Delete is "drive around it today" (it's there tomorrow). Ignore is "stop reminding me about that pothole" — you've decided you'll live with it.

Per-entity vs per-signature staging

Suggestions and enforcement happen at two granularities, and the 303 exam loves the difference:

The Enforcement Readiness summary at the top of the screen counts exactly this: how many entities and signatures are still not ready. When everything has sat through its Enforcement Readiness Period (default 7 days) with no new suggestions, that count hits zero — your green light.

Pro tip — "Enforce Ready" entities are your safe wins

You don't have to wait for the whole policy. The screen lets you enforce just the entities and signatures that are ready while the rest keep learning. Enforcing the ready ones early shrinks your attack surface without risking the parts you haven't tuned. 17.5 even adds a one-click "Enforce and Enable all Attack Signatures with High Risk & High Accuracy in the Signature Set" option.

👉 So far: Accept fixes, Delete is temporary, Ignore silences. Entities and signatures stage separately; Enforcement Readiness counts what's not ready. Next, see exactly where these buttons live.
Figure 3 — Accept vs Delete vs Ignore — what each button does to the policy
Three columns compare the Accept Suggestion, Delete Suggestion and Ignore Suggestion buttons across whether the policy changes, whether the suggestion returns, and the right time to use each. Accept changes the policy and stops the suggestion recurring, used for genuine false positives. Delete does not change the policy and the suggestion returns if the traffic recurs, used to clear a real attack from the list. Ignore does not change the policy but hides this specific suggestion permanently, used for judged noise. A lime aha note states that only Accept fixes the cause; Delete is temporary. Three buttons, three very different outcomes Changes policy? Suggestion returns? Use it when… Accept Delete Ignore YES — adds/relaxes NO NO No — cause fixed Yes, if traffic recurs Never (hidden) Genuine false positive (low rating) Clearing a real attack (high rating) Judged noise you don't want to see Enforcement Readiness summary — entities + signatures stage separately Per-entity (URL/param/file type) and per-signature each ride the 7-day Readiness Period. Count = 0 not-ready → safe to enforce. The aha: only Accept fixes the cause. Delete is "for now" — the same false positive comes back tomorrow. Buttons (exact GUI text): Accept Suggestion · Delete Suggestion · Ignore Suggestion
Accept fixes the cause. Delete is a broom, not a fix. Ignore is "I've judged this, hide it." Pick by intent, not by which clears the list fastest.
🖥️ Recreated for clarity — your BIG-IP console matches this
https://10.10.10.5/tmui/ — Security ▸ Application Security ▸ Policy Building ▸ Traffic Learning
Local Traffic
Security
Application Security
› Security Policies
› Policy Building
· Traffic Learning
› Attack Signatures
Network
System
Current edited policy: prod_shop_app  ·  Enforcement Mode: Transparent  ·  Enforcement Readiness: 3 entities, 1 signature not ready
SuggestionAdd valid parameter delivery_note (illegal meta char) Rating 1 Accept Suggestion 1
Learning score96%   seen across 41 sources / 7 days 2
SuggestionSQL-Injection signature on parameter id Rating 5 Delete Suggestion 3
Enforce ready2 entities have passed staging — Enforce Ready available 4
A low violation rating (1)Accept teaches the policy this parameter is legit.   The learning score (%) shows how often/widely it was seen.   A high rating (5) is a real attack → never Accept; Delete/Clear it.   Enforcement Readiness drives the green light to enforce.
Security ▸ Application Security ▸ Policy Building ▸ Traffic Learning — the screen you live on while tuning. Pins mark the four fields this lesson changes.

▶ Watch one entity ride staging into enforcement — then watch a forced flip

Karthik at Wipro tunes a parameter on a TCS-built app. Play the safe staging path, then Break it to see what enforcing before Readiness is clean does.

① STAGINGNew parameter delivery_note enters staging — monitored, never blocks
② SUGGESTIONMeta-char false positive posted, rating 1, learning score climbing
③ ACCEPTKarthik accepts → check relaxed for that param → no new suggestion
④ READY7-day Readiness Period passes clean → entity is Enforce Ready
Press Play for the safe staging-to-enforcement path. Then press Break it.

The four tuning verbs — tap each card

Each card front names the move; the back gives you the "so what" — when to reach for it during tuning.

Accept
tap to flip

Changes the policy — adds the entity or relaxes the check. So what: the only button that fixes the cause. Use on a genuine false positive (low rating).

🧹
Delete / Clear
tap to flip

Removes the suggestion now, no policy change — it returns if the traffic recurs. So what: clear a real attack (high rating); don't use it on a recurring false positive.

🙈
Ignore
tap to flip

Hides this specific suggestion permanently, no policy change. So what: judged noise you don't want cluttering the screen again.

🚦
Enforce
tap to flip

Moves a staged entity/signature into active blocking. So what: do it only when Enforcement Readiness is clean — or you'll block what you never learned.

Quick check · Q3 of 10

You judge a suggestion as a genuine, recurring false positive on a legitimate parameter. Which button stops it coming back?

Correct: a. Accept changes the policy (adds the entity or relaxes the check), fixing the cause so the suggestion doesn't return. Delete (b) only clears it from the list — the same traffic re-creates it tomorrow. Blocking (c) would start enforcing the very false positive you're trying to silence.

Pause & Predict

You're about to flip a policy serving 5,000 users from Transparent to Blocking. Enforcement Readiness still shows "12 entities not ready". What's the one thing that could break, and what should you do first? Type your guess.

Answer: Those 12 not-ready entities are URLs/parameters the WAF is still learning — flip now and it can block legitimate requests to them, stranding real users. Do this first: let staging finish (or accept the legit-entity suggestions so Readiness drops to 0), then flip Enforcement Mode to Blocking. Readiness clean is the green light. That's exactly Path 4.

④ The final flip — Transparent → Blocking, the safe way

Everything so far has been preparation. This is the moment the meter goes on. The control lives at Security ▸ Application Security ▸ Security Policies ▸ <policy> ▸ Policy Properties, in the Enforcement Mode field — a toggle between Transparent and Blocking.

The don't-block-legit-customers playbook

  1. Confirm Enforcement Readiness is clean. On Traffic Learning, the count of not-ready entities and signatures should be 0. If it isn't, you have learning left to do — finish it.
  2. Enforce the ready entities/signatures. Move what's passed staging into enforcement (or use the 17.5 one-click high-risk/high-accuracy enforce) so the policy actually checks them.
  3. Set Enforcement Mode = Blocking. Now an enforced violation returns the blocking response page instead of just logging.
  4. Watch the first hours. Keep the Traffic Learning screen open. A surprise false positive will surface as a low-rating suggestion — accept it, and the block clears for that entity.

Why this order matters: Transparent learns, staging protects you from new entities and fresh signatures blocking too early, and Enforcement Readiness is the one number that says "I won't strand a real customer." Flip before it's clean and you're the rickshaw driver charging a passenger on a route you never drove.

The two GUI knobs you actually touch

🖥️ Recreated for clarity — your BIG-IP console matches this
https://10.10.10.5/tmui/ — Security ▸ Application Security ▸ Security Policies ▸ prod_shop_app ▸ Policy Properties
Local Traffic
Security
Application Security
· Security Policies
· Policy Properties
› Policy Building
Network
System
Policy: prod_shop_app  ·  Properties
Policy Nameprod_shop_app
Enforcement Mode ◉ Transparent ◯ Blocking 1
Enforcement Readiness Period7 days 2
Enforcement Readiness0 entities / 0 signatures not ready 3
Save → flip to Blocking
Enforcement Mode toggle — flip from Transparent to Blocking only here.   The Enforcement Readiness Period (default 7 days) — the staging window.   Enforcement Readiness = 0 not ready is your green light to flip safely.
Security ▸ Application Security ▸ Security Policies ▸ <policy> ▸ Policy Properties — the Enforcement Mode toggle. Flip only when pin ③ reads zero.
tmsh — read Enforcement Readiness, then flip the policy to Blocking
# BIG-IP >= 14.1 · Advanced WAF · self IP 10.10.10.5
tmsh list asm policy prod_shop_app enforcement-mode
# check what is still staged before you flip:
tmsh show asm policy prod_shop_app | grep -i ready
# only when clean, flip Transparent -> Blocking:
tmsh modify asm policy prod_shop_app enforcement-mode blocking
tmsh save sys config
Expected output
enforcement-mode transparent
Enforcement Readiness : 0 entities, 0 signatures not ready
Policy prod_shop_app : enforcement-mode now blocking
Saving running configuration...  /config/bigip.conf  [  OK  ]
# If "not ready" > 0, do NOT flip — finish staging/accept legit suggestions first.
iControl REST — same flip via the management API (10.10.10.5)
curl -sku admin:****** -X PATCH \
  https://10.10.10.5/mgmt/tm/asm/policies/<policyId> \
  -H 'Content-Type: application/json' \
  -d '{"enforcementMode":"blocking"}'
Expected output
{
  "name": "prod_shop_app",
  "enforcementMode": "blocking",
  "isModified": true
}
# 200 OK — the policy is now Blocking. Watch Traffic Learning for any day-one false positives.
The trap behind a "finished" policy

Don't flip to Blocking because a date arrived or a manager asked. Flip because Enforcement Readiness = 0 not ready. Flipping with entities still staged is how Advanced WAF blocks the leave-approval button on Monday morning — and how the business unit asks you to "just turn it off". The clean Readiness count is the only green light that matters.

👉 So far: confirm Readiness = 0, enforce the ready items, flip Enforcement Mode to Blocking, then watch. Next, prove the flip was safe.

▶ Watch the flip get validated — then watch the day-one false positive

Priya at HDFC flips the policy to Blocking after a clean Readiness. Play the safe validated flip, then Break it to see a missed false positive surface.

① READINESSTraffic Learning shows 0 not ready — the green light
② FLIPPolicy Properties → Enforcement Mode = Blocking, saved
③ ATTACKA real SQLi (rating 5) hits → enforced signature blocks it, returns block page
④ LEGITA normal checkout passes untouched — the meter is on, the real passenger rides
Press Play for the safe validated flip. Then press Break it.

Aditya at TCS faces this

Aditya flipped to Blocking with a clean Readiness, but hours later one customer-facing form starts throwing block pages. Real users are affected. The team panics and wants to revert to Transparent for the whole app.

Likely cause

A low-volume legitimate flow the WAF saw too rarely to fully learn — so it surfaced only once real traffic hit it in Blocking. A rating-1 suggestion is already on the Traffic Learning screen for that exact entity.

DiagnosisSecurity ▸ Application Security ▸ Policy Building ▸ Traffic Learning → filter Violation Rating = 1
Fix

Accept the rating-1 suggestion for that entity — no need to revert the whole app. The check relaxes for that one parameter and the block clears, while every other enforced check keeps protecting.

Verify

Re-test the form: it submits cleanly. The Event Log shows the request now passes; a genuine attack on the same form still blocks. Don't revert — tune the one entity.

Verify it worked — the log that ends the argument

Never claim "we're safely in Blocking" from the Policy Properties screen alone. Do a safe synthetic attack (e.g. a harmless test payload that trips a signature), then open Security ▸ Event Logs ▸ Application ▸ Requests, filter on your test source + last hour, and read the Violation, Attack Type and Request Status columns. Request Status = blocked with the support ID proves the policy is enforcing. If a real request shows blocked instead, that's your day-one false positive — go accept its suggestion.

Event Logs filter — confirm the policy is enforcing after the flip
Security ▸ Event Logs ▸ Application ▸ Requests
  Filter:  Policy = prod_shop_app  AND  Request Status = Blocked  AND  last 1 hour
  Columns: Source IP · Violation · Attack Type · Violation Rating · Support ID
Expected output
2026-06-02 14:22  src 203.0.113.7    Status: BLOCKED
  Violation: Attack signature detected   Attack Type: SQL-Injection
  Violation Rating: 5   Support ID: 8847120053361902
2026-06-02 14:23  src 172.16.40.18   Status: PASSED   (legit checkout, internal LAN)
# If a real user (e.g. 192.168.10.x) shows BLOCKED → accept that entity's rating-1 suggestion.
Quick check · Q4 of 10

Hours after flipping to Blocking (Readiness was clean), one legitimate form starts throwing block pages and a rating-1 suggestion appears for that entity. Best response?

Correct: d. A rating-1 suggestion is a false positive on a legit entity — accept it to fix that one check without weakening the rest of the policy. Reverting the whole app to Transparent (a) throws away all your protection over a single parameter. Tuning is surgical, not all-or-nothing.
Figure 4 — Transparent vs Blocking: what the same attack does (control OFF vs ON)
A two-panel before-and-after diagram. On the left, control off, the policy is in Transparent mode: a SQL injection attack reaches the web server because Transparent only detects and logs, so the attack succeeds while learning. On the right, control on, the policy is in Blocking mode after tuning: the same SQL injection attack is blocked with a blocking page and a support ID, while a legitimate checkout request still passes through to the server. A cheat-sheet footer lists the tuning loop steps and the golden rule that you flip only when Enforcement Readiness is zero not ready. BEFORE · Transparent (control OFF) Attacker SQLi in id= WAF log only no block App Attack SUCCEEDS — Transparent detects but blocks nothing. This is fine ON PURPOSE during tuning — you're learning, not yet protecting. Never leave a prod app here for long. AFTER · Blocking (control ON) Attacker SQLi Real user checkout WAF Blocking ⛔ Blocked + ID ✓ App reached Attack BLOCKED, legit checkout PASSES. The aha: you only get here after a clean Enforcement Readiness. THE TUNING LOOP (screenshot this) Transparent → read suggestions (rating + score) → Accept FP / Clear attack → re-check Readiness → repeat → Flip to Blocking GOLDEN RULE: flip Transparent → Blocking only when Enforcement Readiness = 0 not ready. rating 1–2 = accept (false positive) · 3 = examine · 4–5 = clear (attack) · score % = how soon, not whether Validate in Security ▸ Event Logs ▸ Application ▸ Requests (Request Status + Support ID) — never from the Policy Properties screen alone.
Same SQL injection, two modes. Transparent (OFF) lets it through on purpose while learning; Blocking (ON) stops the attack and still serves the real customer. That gap is the whole point of the flip.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from F5 techdocs + DevCentral, scoped to Advanced WAF (ASM) tuning. For a live prod issue, paste your Event-Log export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Per F5's guidance, a learning suggestion with a violation rating of 1 means the request is…

Correct: b. F5's exact wording: rating 1 = "most likely a false positive — if it is, consider accepting learning suggestions". Rating 5 is the attack end of the scale; 3 means examine.
Q6 · Apply

Karthik wants to start protecting a production app but must guarantee no real user is blocked while he tunes. What's his first move?

Correct: a. Transparent detects, logs and learns while blocking nothing — the safe "meter off" phase. He tunes from the suggestions it posts, and flips to Blocking only when Readiness is clean. Blocking first (b) is the day-one mistake.
Q7 · Analyze

A suggestion shows violation rating 4 and learning score 88%. The junior engineer wants to accept it because the score is high. What do you tell them?

Correct: c. Rating drives accept/clear; score only tells you confidence/how-soon. A rating of 4 = "looks like a threat, examine it" — accepting would risk whitelisting an attack. Examine the request, and if it's an attack, clear it. High score is never a reason to accept a high-rating suggestion.
Q8 · Analyze

An engineer clears (Delete) a recurring rating-1 false-positive suggestion every morning to "keep the screen tidy", yet it's back the next day. What's actually happening?

Correct: b. Delete only removes the suggestion from the list; it doesn't add/relax the entity, so the recurring legit traffic re-creates it. For a genuine false positive you Accept (changes the policy) — or Ignore to hide it permanently. Delete is for clearing attacks, not fixing false positives.
Q9 · Evaluate

A manager orders "go to Blocking today" for a customer-facing app, but Enforcement Readiness still shows 18 entities not ready. As the engineer, what's the right call?

Correct: c. Flipping with 18 not-ready entities risks blocking real customers on entities the WAF hasn't learned. You can enforce the ready items immediately (partial protection) and finish staging the rest. Deleting suggestions to fake a clean count (d) is dishonest tuning — the entities are still un-learned and will block legit traffic.
Q10 · Evaluate

For an HDFC banking portal, an engineer proposes turning OFF staging for newly downloaded attack signatures "so every new signature blocks immediately". Sound design?

Correct: c. A new or updated signature can match legitimate banking traffic (a false positive). Per-signature staging lets it observe and post suggestions without blocking, so you enforce only the ones proven safe. Disabling staging on a customer-facing portal is exactly how a signature update strands real users. Option (d) contradicts itself — Transparent blocks nothing regardless.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why is it safe to flip a policy from Transparent to Blocking only when Enforcement Readiness shows 0 not ready? Then compare to the expert version.

Expert version: In Transparent mode the WAF only detects and logs while it learns the app's legitimate entities (URLs, parameters, file types) and stages new/updated signatures. An entity or signature that's still "not ready" hasn't finished its Enforcement Readiness Period — the WAF hasn't confirmed it's legitimate. Flip to Blocking with not-ready items and the WAF can block those legitimate requests, stranding real customers. When the count is 0, everything enforced has been learned or tuned, so Blocking stops attacks without breaking legit traffic. If your answer mentioned "not-ready entities aren't learned yet, so they'd block real users", you've got it.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Advanced WAF (formerly ASM)
F5 BIG-IP Advanced WAF — ASM + L7 Behavioral DoS + Bot Defense + credential-stuffing/brute-force protection + DataSafe. ASM went End-of-Sale 01-Apr-2021; existing ASM customers on BIG-IP ≥14.1 under support can reactivate to Advanced WAF free. The TMUI module is still labelled "Application Security".
Transparent mode
Enforcement Mode where the policy detects and logs violations and learns from traffic but blocks nothing — the safe tuning phase.
Blocking mode
Enforcement Mode where the WAF actively blocks enforced violations and returns the blocking response page.
Traffic Learning
The Policy Building screen (Security ▸ Application Security ▸ Policy Building ▸ Traffic Learning) where the Policy Builder posts learning suggestions and the Enforcement Readiness summary.
Learning suggestion
A recommendation to add an entity, relax a check, or enforce a signature, based on observed traffic. Acted on with Accept, Delete, or Ignore.
Violation rating
A 1–5 score for the whole transaction. 1–2 = likely false positive (accept), 3 = examine, 4–5 = likely attack (clear). It grades the traffic.
Learning score
A percentage showing how confident the Policy Builder is, based on how often/widely the entity was seen. It grades the WAF's confidence, not whether the traffic is safe.
Staging
A state where a new entity or signature is monitored and generates suggestions but is not enforced — it cannot block yet. Entities and signatures stage independently.
Enforcement Readiness
The Traffic Learning summary counting how many entities/signatures are still not ready. 0 = everything has passed staging with no new suggestions — the green light to enforce.
Enforcement Readiness Period
The window (default 7 days) a staged entity/signature must collect no new suggestions before it's considered ready to enforce.
Enforcement Mode
The policy-level switch (Policy Properties) between Transparent and Blocking. The master "meter off / meter on" toggle.
Violation Rating Based Enforcement
A safety net where a transaction rated 4–5 can block even if individual violations have their Block flag off.

📚 Sources

  1. F5 BIG-IP Documentation — Refining Security Policies with Learning (Traffic Learning, learning suggestions, learning score, Accept/Delete/Ignore Suggestion, Enforcement Readiness Period, unlearnable violations). techdocs.f5.com/en-us/bigip-15-0-0/big-ip-asm-implementations/refining-security-policies-with-learning.html
  2. F5 BIG-IP Documentation — Working with Violations (violation rating 1–5 scale, rating assigned to the whole transaction, separating false positives from attacks). techdocs.f5.com/en-us/bigip-17-5-0/big-ip-asm-implementations/working-with-violations.html
  3. F5 Knowledge — Violation Rating Based Enforcement (K000137152) — a 4–5 transaction blocks even when individual violations have Block off; per-entity vs per-signature enforcement. my.f5.com
  4. F5 DevCentral / community.f5.com — threads "ASM staging in Transparent and Blocking — what is difference", "ASM Learning and Enforcement readiness period, can we change?", "ASM transparent mode" (staging behaviour, readiness period, Transparent→Blocking false positives). community.f5.com
  5. F5 BIG-IP 17.5.0 Release Notes — New Features (Base64 semantic auto-detection to reduce false positives; new "Enforce and Enable all Attack Signatures with High Risk & High Accuracy in the Signature Set" GUI option; JWT validation). techdocs.f5.com/en-us/bigip-17-5-0/big-ip-release-notes/big-ip-new-features.html
  6. F5 Certification — 303 — BIG-IP ASM Specialist Exam Blueprint (90 minutes, 80 questions, pass 245 of 100–350; policy building, learning, enforcement objectives). education.f5.com/exams/big-ip-asm-specialist-303
  7. Reddit r/f5networks — practitioner discussion on tuning ASM in Transparent before going to Blocking and reading violation rating vs learning score. reddit.com/r/f5networks

What's next?

That's the series. You can now run the full Advanced WAF tuning loop — read suggestions, judge with rating + score, accept or clear, watch Enforcement Readiness, and flip to Blocking without stranding a customer. Loop back to the foundations any time, then prove it on the simulator and the 303 mock.

Try the F5 WAF Simulator → Practice the 303 on exam.techclick.in →