Transitioning out of the auto-learning phase
As your web servers change, you may periodically want to run auto-learning for them on a smaller scale.
For example, perhaps you will install or update a web application or web server, resulting in new structures and different vulnerabilities.
However, for most day-today use, auto-learning should be disabled and your protection profiles fully applied.
To transition to day-to-day use
2. If, during auto-learning, any Action in the protection profile or its auxiliary components was set to Alert & Deny or Alert & Erase, verify that those same actions are applied in the protection profile that you generated from auto-learning data. (Incomplete session data due to those actions may have caused auto-learning to be unable to detect those attack types.)
3. If necessary, either:
• Manually adjust the generated profile and its components to suit your security policy. For more serious violations, instead of setting Action to Alert, use a blocking or redirecting option such as Alert & Deny.
6. When you are done collecting auto-learning data and generating your configuration, to improve performance,
disable auto-learning by deselecting the auto-learning profile in
WAF Auto Learn Profile in
all server policies.
See also