AWAF learning-suggestion interpreter

Ties the poisoning estimator and the false-positive triage together. Characterise a Traffic Learning suggestion and it tells you whether accepting it loosens or tightens the policy, whether a loosening is a false-positive fix or a security relaxation, and whether Automatic learning is about to enforce it for you. Runs entirely in your browser.

Security & WAF

The learning suggestion you are weighing up

Computed in your browser. Nothing is sent.

A deterministic model of F5's documented learning behaviour, not a probe. Read the action, learning score, and average violation rating from the Traffic Learning screen. It never contacts a BIG-IP and does not depend on the exact REST suggestion JSON.

LooseningPoisoning vector

Loosening that resolves a genuine false positive

What this means

  • The learning score rises as the violation rating falls, so the lowest-rated suggestions (the most likely false positives) reach auto-accept fastest. That is by design, and it is also exactly what an attacker feeding low-rated violations drives up.
  • At a 80% learning score this suggestion is close to being accepted; check it deliberately rather than letting it through.
  • In Automatic learning, a suggestion that reaches a 100% learning score is accepted and enforced automatically, with no human step.
  • This is the poisoning vector: a relaxing loosening from untrusted traffic climbing toward auto-accept in Automatic mode. Model how far it is with the poisoning estimator, and consider Manual learning or trusted-only loosening.
  • Relax the policy only where a false positive occurred, never where a real attack caused the violation. The violation rating is how you tell the two apart.
API endpointGEThttps://ronutz.com/api/v1/f5-awaf-learning-suggestion-interpreterDocumented, not served. Opens the specification.

References