Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
0
Helpful
3
Replies

working of csa in learn mode

sushilmenon
Level 1
Level 1

‎02-11-2008 12:37 AM - edited ‎03-09-2019 08:04 PM

hi all i am new to csa . i am having a doubt abt the learn mode.

as per the documentation in learn mode when the rules in the policies having the action as query the user. in learn mode rather than querying the user it allows the action as query response.

my doubt is what abt the rules in which the deny action is set . will this rule be implemented when it is learn mode.

like in test mode even though the actions of the rules are set to deny it will still permit the action and log the event.

is this the same behaviour in learn mode.

or the learn mode only pertains to the rules with query the user as their

actions.

can someone pls clear this doubt.

regards

sushil

Labels:
0 Helpful
3 Replies 3

gojericho0
Level 1
Level 1

‎02-11-2008 06:38 AM

Learn mode helps to eliminate popups users will see when you first install CSA. It will assume an ALLOW action to all queries except ones that CSA considers unusual activity.

Any query that has a default ALLOW without learn mode turned on is automatically cached once learn mode so that users are not bombarded with popups during enforcement. Any denies that are allowed in learn mode, still show up as queries when learn mode is not enforced

I personally don't recommend using Learn mode, because i could cache ALLOW responses as an administration you would not wish to have. In my deployments I put everything in test mode and create exception rules and have all queries default to deny just to eliminate and confusion/annoyance from the end users in order to help make the security solution more accepted

0 Helpful

sushilmenon
Level 1
Level 1
In response to gojericho0

‎02-11-2008 01:15 PM

hi jerico thanks for ur reply.

mate i am really new to csa. from ur answer i could drive to this consulsion though not sure whether i am right.,

like in test mode even though the action to a rule is to deny but it will still be allowed but a log event will be generated .

similarly in learn mode all the actions will be queried to the user rather then taking the actions specified in the rule.

i mean say i have selected learn mode in the group.

for the learn mode do i have to change the query variables . by default i guess the default action is to deny for all the rule modules.

so i guess if we leave it to default the query will be generated right. and the actions specified in the query request will be prompted to the user.

my main doubt is if rule which specifies the action as deny . but i have selected the learn mode for the group.

so now will the deny action will be taken as per the rule or since it is in learn mode it will query the user .

can u pls help me out.

''

waiting for ur reply mate.

regards

sushil

0 Helpful

gojericho0
Level 1
Level 1
In response to sushilmenon

‎02-11-2008 01:20 PM

Sushil

In learn mode the queries with the default deny action are ALLOWED without prompting the user.

When you take of learn mode the user will now see a query for any default deny action.

If I were you though I would not use learn mode and run test mode in order to manually create your policies to take the end users out of the equation. I think this will save a lot of headaches in the long run.

0 Helpful
Customers Also Viewed These Support Documents