Most engineers think…
"A WAF works by having a giant list of attack signatures. The more signatures I switch on, the safer my app is."
Wrong — and that instinct is exactly why so many WAFs miss zero-days and drown the SOC in noise. Signatures (negative security) try to enumerate every possible attack — an endless, losing race. F5 BIG-IP Advanced WAF (formerly ASM) adds a second, smarter model: positive security — it learns the much smaller set of things your app legitimately uses (its URLs, parameters, file types, cookies) and treats anything outside that allow-list as suspect. Policy Builder builds that allow-list for you by watching real traffic. This lesson builds the instinct: enumerate the good, stage it safely, then tighten until only known-good gets in.
① Positive security — allow-list the good, don't chase every bad
Picture a Big Fat Indian Wedding. A bouncer who tries to recognise every possible gatecrasher will fail — there are infinitely many. The smart bouncer instead learns the guest list: these relatives, this caterer, that decorator, entering through that gate. Anyone not on the learned list gets a second look. That is positive security.
In Advanced WAF, the two models work together. Negative security (attack signatures) blocks known-bad. Positive security allow-lists known-good — the legitimate entities your app actually serves. A request that asks for a URL your app never exposes, or sends a parameter the app never uses, sits outside the allow-list — a violation, even if no signature matches it. That is how positive security catches zero-days that signatures miss.
Quick history (state this the same way every time): ASM went End-of-Sale on 01-Apr-2021. Advanced WAF (launched 2018) = ASM + L7 Behavioral DoS + Bot Defense (Proactive Bot Defense) + credential-stuffing/brute-force + DataSafe. Existing ASM customers on BIG-IP ≥ 14.1 under support can reactivate to Advanced WAF free. The GUI module is still literally Security ▸ Application Security and many screens still say "ASM" — so we use "ASM" for the menu/legacy name and "Advanced WAF" in prose. The cert anchor for this whole series is the 303 — BIG-IP ASM Specialist exam (90 min, 80 questions, pass 245/350).
Sneha at Infosys faces this
Sneha deployed a brand-new app behind Advanced WAF and turned on every attack signature she could find. A zero-day still got through to a URL the app never exposes — and the SOC is asking why the WAF "did nothing".
She relied only on negative security (signatures). The attack used a payload no signature recognised, against a URL outside the app's legitimate set — exactly the gap positive security closes.
Check whether Policy Builder is learning entities, or whether the policy is signatures-only.
Security ▸ Application Security ▸ Policy Building ▸ Learning and Blocking SettingsEnable automatic Policy Builder so it learns the legitimate URLs, parameters and file types. Now a request to a never-seen URL raises a violation even with zero signature matches.
Watch Traffic Learning populate with suggestions; the never-exposed URL now appears as an Illegal URL violation in the event log.
▶ Watch Policy Builder learn an entity — then watch it block too early
Rahul at TCS turns on automatic Policy Builder for a new app. Press Play for the healthy learn → stage → enforce path, then Break it to see what skipping staging does.
Negative security blocks known-bad with signatures. What does the positive security model do instead?
Pause & Predict
Policy Builder has watched traffic for a day and proposes adding /cart/checkout as a legitimate URL. How do you think ASM decides whether it's confident enough to recommend you accept it? Type your guess.
② Traffic Learning — how Policy Builder discovers your entities
You don't hand-write the allow-list. Policy Builder watches live traffic and builds it for you. The screen where you review what it found is Security ▸ Application Security ▸ Policy Building ▸ Traffic Learning — the heart of this lesson.
As traffic flows, ASM generates learning suggestions for requests that don't yet match the policy. Each suggestion is "I keep seeing this file type / URL / parameter / cookie / redirection domain — should I add it as legitimate?" You Accept, Delete or Ignore each one. (Accepting how to go live / flip to blocking is a judgement call covered in the False-Positive Tuning lesson — here we learn what the entities and the workflow are.)
The two numbers that matter. Every suggestion carries a learning score and is shaped by the request's violation rating. Keep them straight:
- Learning score (0–100%) — how confident Policy Builder is that the suggestion is safe to accept. It climbs as the entity is seen more often, from more sources, over more time. At 100%, automatic Policy Builder accepts it for you; you can accept a valid one earlier.
- Violation rating (1–5) — how attack-like the triggering request looks. This drives the score: lower violation rating → higher learning score (looks benign, trust it), higher rating → the score stalls (looks like an attack, don't trust it).
Don't force-accept a suggestion just to clear the screen. A score that won't climb usually means the entity keeps arriving with medium/high violation ratings — ASM is quietly telling you "this looks more like an attack than a feature". Investigate that traffic before you add it as legitimate. A score racing to 100% on low ratings is the genuinely safe one.
Priya at Flipkart faces this
Priya opens Traffic Learning to a flood of low-value suggestions for one-off URLs (campaign links with random query strings) that will never repeat. The signal is buried in noise.
Policy Builder is dutifully suggesting every new URL it sees. The genuinely useful suggestions are drowned by transient ones.
Ignore the suggestions she never wants to see again (they're filtered out of the list), Delete pure noise (a recurrence resets that entity's learning score to zero), and accept the high-score, low-rating ones. Sorting by score surfaces the real signal.
The Traffic Learning list shrinks to meaningful entities; the Enforcement Readiness Summary counts start to make sense.
A new file type appears in Traffic Learning with a learning score climbing toward 100%. What does that score mean?
Pause & Predict
Policy Builder just learned a brand-new parameter on a live banking app used by 5,000 people. If ASM enforced it the instant it was learned, what could go wrong — and what mechanism prevents that? Type your guess.
③ Staging and the three learning modes
Learning an entity is only half the job. The other half is doing it safely, so a new entity never causes an outage. That's what staging and the per-entity learning modes are for.
| Suggestion | Entity | Learning Score | Action |
|---|---|---|---|
| 1 Add valid URL | /cart/checkout | 100% | Accept · Ignore |
| Add valid parameter | coupon | 88% | Accept · Ignore |
| 2 Add valid file type | 74% | Accept · Ignore | |
| Add valid parameter | id (rating 5) | 11% | Delete · Ignore |
Read the screen like a triage queue. Pins ① and ② are high-score, benign suggestions (low violation rating) — accept them. The id parameter at pin-area sits at 11% with violation rating 5 — ASM is warning you this looks like an attack, so you Delete it, not accept. Pin ③ is the Enforcement Readiness Summary, which we read in Path 4.
Entity staging — the safety window
Staging means an entity (or an attack signature) is in the policy but not enforced — ASM logs it and posts learning suggestions, but never blocks on it. New entities and new signatures go into staging automatically. The window is the enforcement readiness period (default 7 days). If no new learning suggestions appear for an entity across that period, it's considered ready to be enforced.
Analogy: staging is a new bouncer shadowing a senior for a week. He watches who comes in and notes faces, but he doesn't turn anyone away yet. Only after the week — once nothing new surprises him — does he start enforcing the guest list.
The three learning modes — per entity type
For file types, URLs and parameters you choose how aggressively Policy Builder learns, in Learning and Blocking Settings:
- Add All Entities — learn every explicit entity seen in traffic. Builds a comprehensive, granular allow-list (the strictest, but the policy gets large). Not available for cookies.
- Selective — start with a wildcard; when a wildcard match draws a false positive, add an explicit entity with relaxed settings. The balance of security, small policy size and low maintenance.
- Never (wildcard only) — keep a wildcard and only ever relax the wildcard on a false positive; never add explicit entities. Easiest to manage, least strict.
There's also a Compact flavour (top-level URLs like /abc/* enforced explicitly, the rest under a wildcard, with pre-populated disallowed file types) for very large apps.
▶ Watch a new entity move through staging — then watch it block too early
Karthik at Wipro adds a new parameter to a live app. Play the safe staging flow, then Break it to see what skipping staging does.
order_ref is finally blockedThe five entity types Policy Builder learns — tap each card
Positive security tracks five kinds of entity. The front names it; the back gives the "so what" — what the allow-list protects.
Extensions the app legitimately serves (html, jsp, pdf). So what: a request for a file type the app never uses (e.g. .bak, .cgi) is a violation — blocks recon & backup-file probing.
The paths the app actually exposes. So what: a request to a never-published URL (forced browsing, admin probing) raises an Illegal URL violation even with no signature match.
The inputs each URL takes, with learned type/length/meta-char rules. So what: the richest control — a parameter with an unexpected value or extra param is flagged, catching injection/tampering.
The cookies the app sets, learned as allowed/enforced. So what: a modified or injected cookie is a violation — stops cookie tampering. (No "Add All" mode for cookies.)
The domains the app is allowed to redirect users to. So what: the allow-list blocks open-redirect abuse to an attacker's site. (Selective mode doesn't apply here.)
Any new entity is logged-not-blocked for the readiness period (default 7 days). So what: the safety window — a freshly-learned entity can never cause an outage before you've reviewed it.
An entity is in staging. A request arrives that would violate its setting. What does ASM do?
Pause & Predict
An auto-built policy has grown huge — wildcards everywhere and dozens of entities still sitting in staging. You want to shrink and harden it without re-learning from scratch. What single Policy Builder action does that? Type your guess.
④ Tighten the policy and read the Enforcement Readiness Summary
You've learned entities and staged them safely. The last two moves are tightening the policy so it stays lean, and reading the summary that tells you what's ready to enforce.
Loosen vs tighten — the two stabilize directions
Policy Builder stabilizes a policy in two directions, each with its own requests-and-time threshold in Learning and Blocking Settings → Policy Building Process:
- Loosen Policy (add) — when traffic shows a legitimate entity is missing, add it / relax a setting so the app keeps working.
- Tighten Policy (stabilize) — tightening shrinks and hardens: it deletes redundant wildcard entities, removes stabilized entities from staging, and enforces violations that haven't occurred for the configured number of requests/time. This is how an auto-built policy stops sprawling.
Analogy: the wedding bouncer's week is over. Loosening is adding a late-confirmed cousin to the list. Tightening is striking off the "maybe" entries nobody used and locking the final list — fewer names, firmer door.
The Enforcement Readiness Summary — your go/no-go board
Open Security ▸ Application Security ▸ Policy Building ▸ Traffic Learning and read the Enforcement Readiness Summary. For each entity type (File Types, URLs, Parameters, Cookies, Redirection) it shows a Not Enforced count. A number greater than zero means entities of that type are still in staging (or a wildcard is still learning explicit matches) — being learned and logged, but not yet able to block. When the staging period passes with no new suggestions, they become Ready to be Enforced, and you can enforce them. The summary is the single screen that answers "is this policy safe to enforce yet?".
| Parameter Name | Value Type | 1 State | Last Updated |
|---|---|---|---|
| * (wildcard) | User-input | Enforced | 2026-05-19 |
| username | Alpha-numeric | Enforced | 2026-05-21 |
| coupon | Alpha-numeric | Enforced | 2026-05-24 |
| 2 order_ref | Decimal | Staged · 4d left | 2026-05-30 |
| filter | Alpha-numeric | Staged · 6d left | 2026-06-01 |
Pin ① is the State column — your at-a-glance "is this blocking yet?". Pin ② is order_ref, the parameter Karthik just learned, still Staged with 4 days left in its window; it logs but can't block until it stabilizes. The wildcard and the older parameters are already Enforced.
The same moves at the command line
ASM is GUI-heavy, but tmsh and the iControl REST API expose the same state. Useful for audits and automation.
root@(bigip01)(cfg-sync)(Active)(/Common)(tmos)# list asm policy shop_app_policy parameters
# realistic mgmt IP 10.1.1.245 — run from the BIG-IP CLI
asm policy shop_app_policy {
parameters {
order_ref { perform-staging enabled }
coupon { perform-staging disabled }
}
}order_ref : perform-staging = enabled (still in the 7-day readiness window) coupon : perform-staging = disabled (enforced — now blocks bad input) # perform-staging enabled = entity is staged (logs, no block) # perform-staging disabled = entity is enforced
curl -sk -u admin:****** \ https://10.1.1.245/mgmt/tm/asm/policies//policy-builder \ | python3 -m json.tool
{
"enforcementReadinessPeriod": 7,
"learningMode": "automatic",
"trustAllIps": false
}
# enforcementReadinessPeriod = 7 days (the default staging window)
# If a never-seen URL still shows Not Enforced > 0 → it is still learning, not ready."The 7-day window ended, so I'll flip the whole policy to Blocking." Wrong reflex. The readiness period ending only makes entities eligible to enforce — it does not mean you reviewed every outstanding suggestion. On a busy app a legitimate-but-rare entity can still be sitting unaccepted. Triage the Traffic Learning list and confirm the Enforcement Readiness Summary first. (The full judgement of flipping to blocking is the False-Positive Tuning lesson — here, just don't treat "7 days passed" as "review done".)
▶ Watch a zero-day hit a signature-only WAF — then a learned allow-list
A forced-browse request to /admin/backup.bak arrives. Play to see the learned allow-list catch it, then Break it to see what happens with positive security off (signatures only).
Aditya at HCL faces this
Aditya's auto-built policy never blocks anything, even obvious bad input, two weeks after go-live. Every entity in the Enforcement Readiness Summary still shows a non-zero Not Enforced count.
The entities are still staged — learned and logged, but never enforced. Policy Builder is in learning/transparent mode and nobody tightened or enforced the stabilized entities.
Review the Ready to be Enforced entities, run Tighten Policy to clear stabilized ones from staging, then Enforce them. The policy can only block on enforced entities.
Re-test the bad input; the entity's State now reads Enforced and the request is blocked with the matching violation in the event log.
Never claim an entity is enforcing from memory. Open Security ▸ Application Security ▸ Parameters (or URLs / File Types) and read the State column — Enforced vs Staged. Cross-check the Enforcement Readiness Summary: a Not Enforced count of 0 for that type means everything is live. If a request you expect to block sails through, the entity is almost always still staged — not a Policy Builder bug.
The Enforcement Readiness Summary shows a number greater than zero in the Not Enforced column for Parameters. What does that tell you?
🤖 Ask the AI Tutor
Tap any question — instant, scoped to this lesson. No login, no waiting.
Pre-curated from F5 techdocs + DevCentral, scoped to ASM positive security & learning. For a live prod issue, paste your Traffic Learning export into chat.techclick.in.
📝 Wrap-up assessment — six more
You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.
🧠 In your own words
Type one line: why does ASM put a newly-learned entity into staging before it can block? Then compare to the expert version.
🗣 Teach a friend
Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.
📖 Glossary
- Positive security model
- Allow-lists the known-good entities an app uses (URLs, parameters, file types, cookies, redirection domains); anything outside the list is a violation. The complement of signature-based negative security.
- Negative security model
- The signature-based approach — a list of known attack patterns to block. Covered in the Attack Signatures lesson.
- Policy Builder
- The ASM component that watches real traffic and proposes entities to add to the policy. Runs in automatic or manual mode.
- Traffic Learning
- The screen (Security ▸ Application Security ▸ Policy Building ▸ Traffic Learning) where you review learning suggestions and the Enforcement Readiness Summary.
- Learning suggestion
- A Policy Builder recommendation to add, relax or enforce an entity, based on observed traffic. You Accept, Delete or Ignore it.
- Learning score
- A 0–100% confidence that a suggestion is safe to accept, built from how often/widely/long an entity is seen and pushed up by low violation ratings. At 100% automatic Policy Builder accepts it.
- Violation rating
- ASM's 1–5 estimate of how attack-like a request is (5 = almost certainly an attack). It drives the learning score: lower rating → higher score.
- Entity
- Any element the positive model tracks — a file type, URL, parameter, cookie or redirection domain.
- Staging
- A per-entity (or per-signature) mode where ASM logs and suggests but never blocks, for the enforcement readiness period — so a new entity can't cause an outage.
- Enforcement readiness period
- The time a new policy/entity is observed without blocking — default 7 days — before it's considered ready to enforce.
- Enforcement Readiness Summary
- The Traffic Learning table showing, per entity type, a Not Enforced count (still staged/learning) vs Ready to be Enforced.
- Tightening (stabilize)
- Policy Builder shrinking and hardening a policy: deleting wildcard entities, removing stabilized entities from staging, and enforcing violations that have not occurred.
- Advanced WAF (formerly ASM)
- F5 BIG-IP Advanced WAF — ASM (End-of-Sale 01-Apr-2021) plus L7 Behavioral DoS, Bot Defense, credential-stuffing/brute-force and DataSafe. The GUI module is still labelled "Application Security".
📚 Sources
- F5 techdocs — Refining Security Policies with Learning (learning suggestions, learning score, violation rating, staging, enforcement readiness period, Loosen/Tighten settings, Accept/Delete/Ignore). techdocs.f5.com — BIG-IP ASM Implementations 14.1.0.
- F5 techdocs — Changing How a Security Policy is Built & Adding Entities to a Security Policy (Add All Entities / Selective / Never wildcard-only / Compact learning modes; file types, URLs, parameters, cookies, redirection domains). techdocs.f5.com.
- F5 / MyF5 — K74535942: Building web application security policies with entities & Creating a Security Policy Automatically (automatic Policy Builder, Enforcement Readiness Summary "Not Enforced" column). my.f5.com.
- F5 DevCentral community — "ASM — confusion about Wildcard, Selective, All Entities", "ASM Policy Builder stuck at 52%", "The difference between Real Traffic Policy Builder & Staging & Learn" (real-world staging/stabilize behaviour). community.f5.com.
- F5 security advisories (≤12 mo) — K000158072 / CVE-2025-55669 (HTTP/2 TMM termination) and CVE-2025-54858 (JSON-schema uncontrolled recursion in bd) affecting BIG-IP Advanced WAF / ASM, disclosed 15-Oct-2025. my.f5.com.
- F5 Certification — 303 — BIG-IP ASM Specialist Exam Blueprint (K29900360; 90 min, 80 questions, pass 245/350; positive-security / Policy Building objectives) and the Configuring F5 Advanced WAF (previously licensed as ASM) v16.1 course outline. education.f5.com / techdocs.f5.com.
What's next?
You can now explain the positive-security model, read Traffic Learning's suggestions and scores, stage entities safely, tighten a policy, and read the Enforcement Readiness Summary. Next, learn the judgement of going live — triaging false positives and flipping a policy from Transparent to Blocking without breaking the app.