TTechclick ⚡ XP 0% All lessons
F5 · BIG-IP ASM · Building a Security PolicyInteractive · L1 / L2 / L3

F5 ASM Building a Security Policy — Templates, Building Blocks & Learning

Sneha at Infosys has to put a WAF in front of an internal app she barely knows — by Friday. Hand-defining every URL and parameter would take weeks. So she picks the Rapid Deployment template, runs it in Transparent mode, and lets automatic policy building learn the app's real entities from live traffic. By Friday the policy is tightening itself around the actual application. This lesson shows you how an F5 BIG-IP Advanced WAF (formerly ASM) security policy is built — templates, the building blocks (file types, URLs, parameters, headers), the learning engine, and tightening from Transparent to enforced — the way the 303 exam tests it.

📅 2026-06-02 · ⏱ 12 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Learn F5 BIG-IP Advanced WAF (formerly ASM) security-policy building the AI-era way — templates (Rapid Deployment), the policy building blocks (file types, URLs, parameters, headers), automatic policy building / learning, and going from Transparent to enforced. 303 exam aligned. 12 min.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Templates

Rapid Deployment vs application-ready: where a new policy starts and how much it ships with.

 2

Building Blocks

File types, URLs, parameters, headers — the entities ASM allows and the positive-security model.

 3

Policy Building & Learning

The learning engine: how ASM proposes suggestions from real traffic so you don't hand-build.

 4

Review & Enforce

Accept suggestions, ride out the readiness period, tighten Transparent → enforced.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. You must stand up a WAF policy fast with minimal manual config. What's the quickest sane starting point?

Answered in Path 1 — Templates. Rapid Deployment gives you a working baseline fast.

2. File types, URLs, parameters and headers in a policy are collectively called…?

Answered in Path 2 — Building Blocks. Entities = the positive-security side.

3. A brand-new policy goes straight to Blocking with no learning. Real users get blocked on normal pages. Why?

Answered in Path 3 & 4 — Learning & Enforce. Learn in Transparent, then Block.

Most engineers think…

"To build a security policy I have to hand-define every URL, parameter and file type myself."

Wrong — and that instinct is why so many ASM projects stall for months. You start from a template (Rapid Deployment is the common one), deploy it in Transparent mode, and let automatic policy building learn your app's real entities from live traffic. ASM watches actual requests, proposes learning suggestions (these URLs, these parameters, this file type are legitimate), and you review and accept them. The policy tightens around your real application in days, not months. This lesson builds the right instinct: template → learn → review → enforce.

① Templates — where a new policy starts

Think of buying a house. You don't pour the foundation, frame the walls, and run every pipe yourself from scratch — you start from a builder's standard plan and customise. A deployment template is that standard plan for an Advanced WAF policy. When you create a policy under Security ▸ Application Security ▸ Security Policies, you pick a template instead of starting from an empty page.

The two you meet first:

The template only sets your starting point and how aggressively ASM learns. Whatever you pick, the real policy comes from tuning it against your actual traffic. The GUI module is still labelled Security ▸ Application Security, and many screens say "ASM" — that legacy module name lives on inside Advanced WAF.

👉 So far: a new policy starts from a template — Rapid Deployment for speed, application-ready for a tighter model. Next, what's actually inside a policy.
Figure 1 — A policy has two halves: allow known-good (positive) + block known-bad (negative)
An isometric trust-zone diagram. An untrusted client on the internet sends an HTTP request to a BIG-IP Advanced WAF virtual server. Inside the WAF the security policy applies two checks: a positive-security model that allows only the known-good building blocks (file types, URLs, parameters, headers) that the policy learned, and a negative-security model of attack signatures that blocks known-bad patterns. A request that fits the allowed entities and trips no signature is forwarded to the trusted application server pool; a request that violates an entity or matches a signature is blocked when the policy is enforced, or only logged while learning in Transparent mode. One policy, two checks: allow known-good entities + block known-bad signatures Untrusted / attacker Trusted / inspected Inspection / decision Key insight Client (internet) 203.0.113.7 — untrusted HTTP req BIG-IP Advanced WAF virtual server 10.10.20.5:443 ① Positive: allow known-good file types · URLs · params · headers ② Negative: block known-bad Enforced → BLOCK violation Transparent/learning → log only fits entities → forward App pool trusted · 172.16.8.0/24 only clean traffic arrives violates entity → drop Blocked + logged violation + support ID Building the policy = teaching ASM your known-good entities. A template seeds it; automatic policy building learns the rest from real traffic; you review, then enforce. Positive = allow known-good entities you learned · Negative = block known-bad attack signatures. GUI module: Security ▸ Application Security (still labelled "ASM" on many screens inside Advanced WAF).
A policy is both halves at once: the positive model allows the entities you learned, the negative model blocks known-bad signatures. Building the policy is mostly teaching ASM the positive side from real traffic.

Sneha at Infosys faces this

Sneha has 2 days to protect an internal HR app she's never touched. She starts hand-defining URLs and parameters one by one — and realises she'll never finish in time, let alone keep it current as the app changes.

Likely cause

She's building the policy the slow way. ASM is designed so you don't hand-define every entity — you start from a template and let it learn.

Diagnosis

Check how the policy was created.

Security ▸ Application Security ▸ Security Policies → Create → choose a template
Fix

Create the policy from the Rapid Deployment template in Transparent mode, attach it to the virtual server, and let automatic policy building learn the entities from real traffic. Review suggestions, then enforce.

Verify

After a day of traffic, open Traffic Learning — ASM has proposed the app's real URLs, parameters and file types as suggestions, ready to accept.

▶ Watch a policy get built — template, learn, review, enforce

Rahul at TCS stands up a new policy. Press Play for the build-by-learning path, then Break it to see what happens when he skips learning and enforces blind.

① TEMPLATECreate the policy from Rapid Deployment, deploy in Transparent
② LEARNAutomatic policy building watches real traffic and proposes learning suggestions (URLs, params, file types)
③ REVIEWYou accept the legitimate suggestions on the Traffic Learning screen
④ ENFORCESwitch to Blocking and Apply → the tuned policy now blocks real attacks, not real users
Press Play to step through the build-by-learning path. Then press Break it.
Quick check · Q1 of 10

You must stand up a working BIG-IP Advanced WAF security policy fast, with minimal manual configuration. Best starting point?

Correct: b. The Rapid Deployment template gives a working baseline fast; deploying Transparent and letting policy building learn the entities means you tune to the real app instead of hand-defining everything. Hand-building (a) is slow and goes stale; empty + Blocking (c) blocks real users.

Pause & Predict

A policy "allows" a request only if it fits the things the policy knows about your app — the file types, URLs, parameters and headers it has learned. What's the umbrella term for those four things in an ASM policy? Type your guess.

Answer: The policy's building blocks (also called entities). File types, URLs, parameters and headers are the entities ASM allows — the positive-security side of the policy. That's exactly Path 2.

② Building blocks — the entities a policy allows

Now look inside the policy. Think of a strict reception desk: the receptionist has a list of who's expected today, which rooms they may enter, and what they may carry. Anyone or anything not on the list is flagged. In Advanced WAF that list is the policy's building blocks — the entities the policy knows about and allows.

The four entities you meet first

Together these entities are the positive-security model — allow only what you know is good. The attack-signature engine (the negative model — that's the Attack Signatures lesson) runs alongside it. Building a policy is mostly about getting these entities right for your app.

Pro tip — don't hand-type every entity

You can add entities manually, but for a real app that's thousands of URLs and parameters that change every release. Instead, let automatic policy building (Path 3) learn them from live traffic and propose them as suggestions. Reserve manual entities for the few special cases learning can't infer. A learned policy stays current as the app evolves; a hand-typed one rots the next deploy.

👉 So far: the policy allows known-good entities — file types, URLs, parameters, headers (the positive model). Next, see a request checked against those entities.
Figure 2 — One request, checked against the policy's allowed entities
A left-to-right flow. An incoming request enters the security policy, which holds the allowed building blocks: file types, URLs, parameters and headers. The request URL and file type match the allowed entities, but a parameter value is longer than the learned rule allows, which raises an Illegal parameter value violation. The policy enforcement mode then decides whether the request is blocked (Blocking, enforced) or only logged as a learning suggestion (Transparent / learning). Entities are the unit of the positive-security model, learned from real traffic. The policy allows known-good ENTITIES — the request is checked against all of them Request GET /cart.html qty=999999999 URL: /cart.html ✓ known URL · file type html allowed Parameter: qty ✗ value too long — breaks the rule Headers: Host, Cookie ✓ expected headers present Violation raised enforcement mode decides: Blocking→drop · learning→log Traffic Learning + Event Log Entities (file types · URLs · parameters · headers) are learned, not hand-typed for every app. While learning, a violation is a suggestion to refine the entity; once enforced, it blocks. Parameters carry most attacks.
The request is checked against the policy's allowed entities. While the policy is learning, an out-of-bounds value becomes a suggestion to refine the rule; once enforced, the same value is blocked — Path 3 and Path 4.

Priya at Flipkart faces this

Priya hand-defined a handful of URLs and parameters and enforced the policy. The next release added a new /api/wishlist endpoint and a new form field — and real users on those pages started getting blocked.

Likely cause

The policy only knows the entities she hand-typed. The new URL and parameter aren't in the policy, so they're treated as illegal — a false positive caused by a stale, manually-built policy.

DiagnosisSecurity ▸ Application Security ▸ Policy Building ▸ Traffic Learning → look for "Illegal URL" / "Illegal parameter" suggestions
Fix

Turn on automatic policy building so ASM learns new entities from real traffic and proposes them. Accept the legitimate new URL/parameter suggestions, then Apply. Now the policy keeps up with each release.

Verify

Re-test the wishlist page after accepting the suggestions. It now loads — the new entities are part of the policy, not violations.

F5 ASM — Architecture & Deployment F5 ASM — Attack Signatures
Quick check · Q2 of 10

In a BIG-IP Advanced WAF security policy, what are file types, URLs, parameters and headers collectively called?

Correct: c. File types, URLs, parameters and headers are the policy's building blocks (entities). ASM allows the entities defined in the policy and flags anything outside them — that's the positive-security side. Attack signatures (a) are the separate negative-security engine.

Pause & Predict

Learning is coming next. ASM can watch your real traffic and figure out most of these entities for you. What do you think it calls the things it proposes for you to accept — the "you should probably allow this" items? Type your guess.

Answer: Learning suggestions. Automatic policy building observes live traffic and surfaces suggestions on the Traffic Learning screen — "add this URL", "this parameter looks legitimate", "relax this rule". You review and accept them so the policy tightens around the real app. That's exactly Path 3.

③ Policy building & learning — let ASM do the typing

Here is the analogy that makes this lesson stick. Automatic policy building is like an apprentice receptionist who shadows the front desk for a week, noting who actually shows up and what they carry. By the end they've drafted the "expected visitors" list for you — you just review it and sign off. That apprentice is the ASM learning engine.

What policy building does

Automatic policy building watches your live traffic and proposes learning suggestions — new file types, URLs and parameters it has seen, plus rules to relax. You review them on the Traffic Learning screen and accept the legitimate ones. The whole point is to build a tight, accurate positive-security model without hand-typing thousands of entities, and to keep it current as the app changes.

The learning runway (deploy Transparent first)

Learning needs real traffic and a safety window. So you deploy the new policy in Transparent mode and let it run for a while. New or learned entities also go through a staging / enforcement readiness period (default 7 days) — they're observed, suggested, but not enforced — so a wrong guess never blocks a real user before you've reviewed it.

Accepted ≠ enforced (this never happens by itself)

This is the #1 trap. Accepting a suggestion in the editor does not put it live. You still take the action:

Until you enforce and apply, accepted entities still only log. Many "the WAF won't enforce my changes" tickets are exactly this — suggestions accepted but never applied.

👉 So far: deploy Transparent → policy building learns entities → it proposes suggestions → you accept + apply. Next, see the build lifecycle in one picture.
Figure 3 — The build lifecycle: template → learn (Transparent) → review → enforce
A left-to-right journey. A new policy starts from a template such as Rapid Deployment. It is deployed in Transparent mode, where for a learning runway (including a staging readiness period of about 7 days) automatic policy building observes real traffic and proposes learning suggestions but does not block. The engineer then reviews each suggestion: a suggestion that matches legitimate traffic is accepted into the policy, while a suggestion that looks like an attack is left so it becomes a violation. Finally the accepted entities are enforced and the policy applied, after which it blocks. A footer notes that accepting a suggestion is not the same as enforcing it. A policy is grown, not typed — and nothing blocks until YOU enforce it 1 · Template Rapid Deployment 2 · LEARN (Transparent) policy building watches traffic readiness ~7 days proposes suggestions — does NOT block 3 · Suggestions ready shown on Traffic Learning "add this URL / param" 4 · YOUR REVIEW — each suggestion legit entity, or an attack? Legitimate URL / parameter? → ACCEPT into the policy → enforce + apply it's now an allowed entity Looks like an attack? → leave it → becomes a violation once enforced don't widen the policy to fit an attacker Accepting a suggestion ≠ enforcing it — you still Enforce ready entities + Apply Policy.
Template → learn in Transparent → review suggestions → accept the legit ones and enforce. The arrow that actually blocks anything is "enforce + apply" — accepting a suggestion alone doesn't go live.

▶ Watch a policy learn its entities — then watch someone enforce blind

Karthik at Wipro builds a policy for a new app. Play the learn-then-enforce path, then Break it to see what happens when he enforces with no learning.

① TEMPLATECreate from Rapid Deployment, deploy in Transparent, attach to the virtual server
② LEARNPolicy building watches real traffic and proposes suggestions (URLs, parameters, file types)
③ REVIEWOn Traffic Learning you accept the legit entities; you leave the attack-shaped ones
④ ENFORCEEnforce ready entities + Apply, switch to Blocking → tuned policy blocks attacks, not users
Press Play for the learn-then-enforce path. Then press Break it.

The four stages of a policy entity — tap each card

The front names the stage; the back gives you the "so what" — what the entity is doing to traffic right then.

🌱
Learning
tap to flip

Policy building is observing real traffic and proposing suggestions. So what: in Transparent mode it logs and suggests but blocks nothing — the apprentice is shadowing the front desk.

📋
Suggested
tap to flip

An entity ASM proposes on the Traffic Learning screen. So what: it's a draft "you should probably allow this" — nothing happens until you accept it.

Accepted (staging)
tap to flip

You added the suggestion to the policy; it rides out the readiness period. So what: "in the policy but not yet enforcing" — you still must enforce ready entities + Apply.

🛡️
Enforced
tap to flip

The entity is live and the policy acts on it. So what: in Blocking mode, a request that violates this entity is now dropped with a support ID — the policy is protecting the app.

Quick check · Q3 of 10

What does automatic policy building (the Policy Building / learning engine) do in BIG-IP Advanced WAF?

Correct: a. Automatic policy building observes real traffic and proposes suggestions (entities and relaxed rules) on the Traffic Learning screen, so the policy tightens around your actual application. You review and accept, then enforce — it never auto-enforces (d).

Pause & Predict

You've learned and accepted the app's real entities. The last step turns the policy from a passive observer into an active gate. What's that final flip called — the enforcement mode that makes ASM actually drop violations? Type your guess.

Answer: Blocking mode. Until you switch the enforcement mode from Transparent to Blocking (and Apply), ASM only logs — even on real violations. The Blocking flip is the moment the tuned policy starts protecting the app. That's Path 4.

④ Review & enforce — from learning to live

You've learned the entities. The last stretch turns suggestions into a live, protective policy without breaking the app. Two things decide whether the policy actually protects: the entities you accepted (Path 3) and the enforcement mode (this section). Get either wrong and the WAF either lets attacks through or blocks real users.

Review the learning suggestions

On Security ▸ Application Security ▸ Policy Building ▸ Traffic Learning, each suggestion tells you what ASM saw and how often. Your job is to sort them:

The volume drops fast — most of an app's entities are learned in the first day or two of real traffic.

Enforce, then go Blocking

Accepting a suggestion adds it to the policy but doesn't make the policy act. Two final flips:

So the chain to a protective policy is: learn entitiesaccept the legit onesenforcemode = Blocking + Apply. Miss the last flip and the policy only logs. (Whether to go Blocking, and when, is the global go-live decision covered deeper in the deployment lesson.)

tmsh — confirm the policy's learning + readiness settings
root@(bigip01)(cfg-sync Standalone)(Active)(/Common)(tmos)# list asm policy /Common/app_pol \
  enforcement-mode enforcement-readiness-period
# review the learned/suggested entities in the GUI Traffic Learning screen, then enforce
Expected output
asm policy /Common/app_pol {
    enforcement-mode transparent
    enforcement-readiness-period 7
}
# Policy is learning in Transparent; 7-day readiness window confirmed before entities enforce.
tmsh — enforce ready entities, switch to Blocking, then apply
root@(bigip01)(tmos)# modify asm policy /Common/app_pol entities enforce-readiness
root@(bigip01)(tmos)# modify asm policy /Common/app_pol enforcement-mode blocking
root@(bigip01)(tmos)# modify asm policy /Common/app_pol apply
Expected output
Ready entities enforced: 318 URLs, 642 parameters, 14 file types.
asm policy /Common/app_pol { enforcement-mode blocking }
Policy /Common/app_pol applied. Active.
# The learned entities now enforce; in Blocking mode, requests outside them are dropped with a support ID.
https://10.10.20.4/tmui  ·  BIG-IP® Advanced WAF — Configuration utility
Local Traffic
Application Security ▸
Security Policies
Policy Building ▸
Traffic Learning
Attack Signatures
System ▸
Security ▸ Application Security : Policy Building ▸ Traffic Learning
Current edited security policy  app_pol  (Transparent — learning)  — accept suggestions, then Apply Policy
Suggestion Entity type Occurrences Action
Add valid URL — /api/wishlistURL1,284Accept
Add parameter — qty (integer, max 4)Parameter962Accept
Illegal parameter value — q=' OR 1=1--Parameter7Leave (attack)
what ASM learned from traffic   the entity it proposes (URL / parameter / file type)   Accept the legit ones; leave the attack-shaped one so it becomes a violation when enforced
🖥️ Recreated for clarity — your BIG-IP console matches this. ASM proposes learning suggestions from real traffic: accept the legitimate URL ① and parameter, but leave the SQL-injection value so it stays a violation. Path: Security ▸ Application Security ▸ Policy Building ▸ Traffic Learning.
The trap — "accepting all suggestions" to clear the queue

Don't blanket-accept every learning suggestion just to empty the Traffic Learning list. Some "suggestions" are an attacker probing your app — a weird URL, a SQL-keyword parameter value. Accepting those widens the policy to allow the attack. Read each suggestion: accept the legitimate entities, and leave the attack-shaped ones so they become violations once you enforce. Blindly accepting everything turns your positive-security model into a doormat.

👉 So far: review suggestions, accept the legit entities, enforce, then go Blocking + Apply. Next, see that final flip live.

▶ Watch the final flip — learn-then-Blocking vs enforce-blind

A tuned policy meets a request that violates an entity. Play the Blocking drop after learning, then Break it to see what enforcing with no learning does to a real user.

① REQUESTA request hits the policy with a value outside a learned parameter rule
② CHECKThe policy knows this entity (it was learned + accepted) → the value is a real violation
③ MODEEnforcement mode is Blocking and the entity is enforced → drop is the right call
④ ACTIONBlocked — request dropped, blocking page + support ID returned; real users are unaffected
Press Play for the Blocking drop after learning. Then press Break it.

Aditya at HCL faces this

Aditya accepted a large set of learning suggestions and is sure the new URLs and parameters are in the policy. But test traffic to those URLs still raises Illegal-URL violations — the policy isn't acting on the entities he accepted.

Likely cause

He accepted the suggestions but never Applied the policy (and/or the entities are still in their staging window). Accepting in the editor doesn't commit anything until you Apply.

DiagnosisSecurity ▸ Application Security ▸ Policy Building → check for the pending-changes banner; verify the entity's enforcement state
Fix

Enforce ready entities if they're past the readiness window, then click Apply Policy. The accepted URLs/parameters now take effect.

Verify

Re-test the URLs. They now load cleanly — the accepted entities are part of the live policy, not pending changes.

Verify it worked — the Event Log ends the argument

Never claim a policy is "tuned and live" from the config screen. Hit a known-good URL and send a safe synthetic attack (e.g. ' OR 1=1-- from your test box), then open Security ▸ Event Logs ▸ Application ▸ Requests and read both. The good URL = clean 200 (entity learned + accepted). The attack = Blocked with a support ID (entity/signature enforced + Blocking). If the good URL is blocked, you missed a learning suggestion; if the attack only Alarms, the policy is still Transparent.

tmsh — confirm the policy is enforcing and read a request by support ID
root@(bigip01)(tmos)# show asm policy /Common/app_pol
# then read a test request in the Event Log by support ID
Expected output
asm policy /Common/app_pol   Enforcement Mode: blocking
2026-06-02 14:22  src 203.0.113.7  vs 10.10.20.5:443
  Violation: Illegal parameter value (q=' OR 1=1--)   Result: BLOCKED
  Support ID: 18007244126553882151
# If Mode = transparent → only Alarmed. If a legit URL is BLOCKED → accept its learning suggestion.
Quick check · Q4 of 10

You built a policy and put it straight into Blocking mode without any learning. Real users immediately get blocked on legitimate pages. Why?

Correct: c. A brand-new policy hasn't seen the app's traffic, so its positive-security model is empty — every real URL and parameter is "unknown" and looks illegal. Deploy in Transparent, let policy building learn and accept the legit entities, clear false positives, then switch to Blocking.
Figure 4 — Enforce-blind vs learn-first: the same new policy, two very different days
A before-and-after panel and a build-order cheat-sheet. On the left, enforce-blind: a brand-new policy goes straight to Blocking with no learning, so its empty positive-security model treats every real URL and parameter as illegal and blocks real users, causing an outage. On the right, learn-first: the same policy runs in Transparent mode while automatic policy building learns the app's real entities, the engineer accepts the legitimate suggestions, and only then switches to Blocking, so no real user is ever blocked. Below, a five-tile cheat-sheet lists the build order: choose a template, learn in Transparent mode, review and accept suggestions, enforce ready entities, and switch to Blocking, with a golden rule that accepting a suggestion is not the same as enforcing it. A new policy can protect you — or block your own users. Learning decides which. ✗ Enforce blind — straight to Blocking Day 0: empty policy, no entities learned every real URL / param looks ILLEGAL real users blocked · checkout breaks · P1 outage Result: WAF gets switched off by 11am ✓ Learn first — Transparent, then Blocking Policy building learns the app's real entities you accept the legit URLs / parameters attacks logged · no real user blocked Result: enforce safely, ship a tuned policy ① Template Rapid Deployment or app-ready a working baseline ② LEARN Transparent mode readiness ~7 days suggests, never blocks ③ Review Traffic Learning legit → Accept attack → Leave ④ Enforce enforce ready + Apply accept ≠ enforce you click it ⑤ Mode Transparent = log Blocking = drop flip + Apply GOLDEN RULE Learn before you block. Accepting a suggestion ≠ enforcing it — you still Enforce ready entities + Apply. Build: Security ▸ Application Security ▸ Policy Building ▸ Traffic Learning | log of truth: Security ▸ Event Logs ▸ Application ▸ Requests 303 anchor: templates, building blocks (entities), automatic policy building / learning, Transparent → enforced.
The before/after that justifies the whole build discipline: enforce-blind blocks your own users on day one; learn-first lets you enforce a tuned policy safely. Screenshot the bottom tiles — that's the build order.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from F5 techdocs + DevCentral, scoped to BIG-IP Advanced WAF (formerly ASM) security-policy building. For a live prod issue, paste your Event-Log export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which template gives the tightest, most application-specific positive-security policy but needs the most learning and tuning?

Correct: b. A Comprehensive / application-ready template produces the tightest positive-security model because it learns many entity types, but it needs a longer learning and tuning window than the lightweight Rapid Deployment template.
Q6 · Apply

Sneha at Infosys must protect an internal app she barely knows, fast, without breaking it. Best first build?

Correct: a. Rapid Deployment + Transparent + automatic policy building learns the app's real entities from traffic, so she tunes to reality fast. Hand-building (b) is slow and error-prone; empty + Blocking (c) blocks real users.
Q7 · Analyze

What is the enforcement readiness period used for when building a policy?

Correct: c. The enforcement readiness period (default 7 days) is the staging window for new/learned entities and signatures — they're observed and suggested but not enforced, so a wrong guess never blocks a real user before you've reviewed it.
Q8 · Analyze

After accepting a set of learning suggestions, the policy still does not enforce the new entities. Most likely missing step?

Correct: b. Accepting a suggestion adds it to the policy in the editor but doesn't commit it. Enforce ready entities (if past the readiness window) and Apply Policy — only then do the accepted entities take effect.
Q9 · Evaluate

A teammate wants to disable automatic policy building and hand-define every URL and parameter for a large, fast-changing app. Sound design?

Correct: d. A large, fast-changing app has thousands of entities that change every deploy. Hand-defining them is slow and instantly stale. Let automatic policy building learn from real traffic and review the suggestions; manual entities are for the rare cases learning can't infer.
Q10 · Evaluate

A junior engineer proposes shipping a brand-new policy directly in Blocking mode to "protect from minute one". For a production app, sound design?

Correct: c. A brand-new policy hasn't learned the app's entities, so its positive model is empty and legitimate URLs/parameters look like violations. Deploy Transparent, learn and accept the real entities, clear false positives, then go Blocking. Skipping the learning window is how a new WAF causes its own outage.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: how do you build an ASM security policy fast without breaking the app — what's the order from template to enforced? Then compare to the expert version.

Expert version: Start from a template (Rapid Deployment for speed) and deploy in Transparent mode. Let automatic policy building learn the app's real entities — file types, URLs, parameters, headers — from live traffic and propose them as learning suggestions. On the Traffic Learning screen you accept the legitimate ones and leave the attack-shaped ones. Then enforce the ready entities and switch the enforcement mode to Blocking, and Apply. The order is template → learn → review/accept → enforce → Blocking. If you mentioned "template, learn in Transparent, accept suggestions, then enforce and go Blocking", you've got it.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Deployment template
The starting blueprint for a new ASM policy. It pre-loads a baseline of protections and sets how aggressively ASM learns. Rapid Deployment is the lightweight default; application-ready templates are tighter but need more tuning.
Rapid Deployment
A lightweight template that ships a baseline of generic protections (attack signatures + common building blocks) so you can deploy fast in Transparent mode and then tune via learning.
Building blocks (entities)
The file types, URLs, parameters and headers a policy knows about and allows. Together they form the positive-security model — ASM flags anything outside them.
File type / URL / parameter / header
The four entities you meet first. File types = allowed extensions; URLs = allowed paths; parameters = input fields and their rules (most attacks ride here); headers = expected HTTP headers and rules.
Positive vs negative security
Positive = allow only known-good entities (the building blocks). Negative = block known-bad attack signatures. A policy runs both.
Automatic policy building
The ASM learning engine. It observes real traffic and proposes learning suggestions (new entities, relaxed rules) so the policy tightens around your actual app without you hand-defining everything.
Learning suggestion
An "add this URL / allow this parameter / relax this rule" item ASM surfaces on the Traffic Learning screen, derived from observed traffic. You review and accept the legitimate ones.
Traffic Learning
The screen (Security ▸ Application Security ▸ Policy Building ▸ Traffic Learning) where learning suggestions appear and you accept or leave them.
Enforcement mode (Transparent vs Blocking)
Transparent = detect and log violations but never block (the learning/tuning state). Blocking = drop violations. You build in Transparent, then switch to Blocking.
Enforcement readiness period
The staging window (default 7 days) during which new/learned entities and signatures are observed but not enforced, so you can review before they block.

📚 Sources

  1. F5 techdocs — BIG-IP Advanced WAF / ASM: Implementations & About security policies (creating a policy, deployment templates including Rapid Deployment, choosing application-ready vs lightweight templates). techdocs.f5.com
  2. F5 techdocs — About security policy building blocks & Working with file types, URLs, parameters and headers (entities = file types / URLs / parameters / headers; the positive-security model). techdocs.f5.com
  3. F5 techdocs — About automatic policy building & Refining a policy with learning (the Policy Building engine; learning suggestions; the Traffic Learning screen; accept/ignore suggestions). techdocs.f5.com
  4. F5 techdocs — Enforcement modes for security policies & Enforcement readiness (Transparent = detect/log only; Blocking = drop; readiness period default 7 days; enforce ready entities). techdocs.f5.com
  5. F5 DevCentral — ASM policy building best practices & positive-security walk-throughs ("start from a template, learn in Transparent, accept suggestions, then enforce"; don't blanket-accept). community.f5.com
  6. r/networking & r/f5networks practitioner threads — "new ASM policy blocked everyone = went Blocking before learning" and "let policy building learn, review suggestions, then enforce". reddit.com
  7. F5 Certification — 303 — BIG-IP ASM Specialist Exam Blueprint (security-policy creation, templates, building blocks, automatic policy building, enforcement; cert anchor: 90 min, 80 questions, pass 245/350). education.f5.com / f5.com

What's next?

You can now build a policy end-to-end: pick a template, learn the entities in Transparent mode, accept the suggestions, and tighten to enforced. Next, go deeper on the positive-security & learning half — how ASM learns and refines URLs, parameters and the entities you just met — and on the negative-security half in the attack signatures lesson. Then false-positive tuning ties them together.

Next · F5 ASM Positive Security & Learning → Practice for the 303 on exam.techclick.in →