working of csa in learn mode

Unanswered Question
Feb 11th, 2008

hi all i am new to csa . i am having a doubt abt the learn mode.

as per the documentation in learn mode when the rules in the policies having the action as query the user. in learn mode rather than querying the user it allows the action as query response.

my doubt is what abt the rules in which the deny action is set . will this rule be implemented when it is learn mode.

like in test mode even though the actions of the rules are set to deny it will still permit the action and log the event.

is this the same behaviour in learn mode.

or the learn mode only pertains to the rules with query the user as their


can someone pls clear this doubt.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gojericho0 Mon, 02/11/2008 - 06:38

Learn mode helps to eliminate popups users will see when you first install CSA. It will assume an ALLOW action to all queries except ones that CSA considers unusual activity.

Any query that has a default ALLOW without learn mode turned on is automatically cached once learn mode so that users are not bombarded with popups during enforcement. Any denies that are allowed in learn mode, still show up as queries when learn mode is not enforced

I personally don't recommend using Learn mode, because i could cache ALLOW responses as an administration you would not wish to have. In my deployments I put everything in test mode and create exception rules and have all queries default to deny just to eliminate and confusion/annoyance from the end users in order to help make the security solution more accepted

sushilmenon Mon, 02/11/2008 - 13:15

hi jerico thanks for ur reply.

mate i am really new to csa. from ur answer i could drive to this consulsion though not sure whether i am right.,

like in test mode even though the action to a rule is to deny but it will still be allowed but a log event will be generated .

similarly in learn mode all the actions will be queried to the user rather then taking the actions specified in the rule.

i mean say i have selected learn mode in the group.

for the learn mode do i have to change the query variables . by default i guess the default action is to deny for all the rule modules.

so i guess if we leave it to default the query will be generated right. and the actions specified in the query request will be prompted to the user.

my main doubt is if rule which specifies the action as deny . but i have selected the learn mode for the group.

so now will the deny action will be taken as per the rule or since it is in learn mode it will query the user .

can u pls help me out.


waiting for ur reply mate.



gojericho0 Mon, 02/11/2008 - 13:20


In learn mode the queries with the default deny action are ALLOWED without prompting the user.

When you take of learn mode the user will now see a query for any default deny action.

If I were you though I would not use learn mode and run test mode in order to manually create your policies to take the end users out of the equation. I think this will save a lot of headaches in the long run.


This Discussion