This section discusses Positive Security and Learning feature for WAF.

Positive Security rules define allowed application behaviour. These rules can be created by the Learning Engine, scanner import or manually. A Positive Security rule will match when the request (or parts of the request) matches the behaviour defined in the rules. This is in contrast to Signatures, which describe attack patterns and will match when an attack pattern is found.

Both Positive Security and Signatures allow similar concepts for rules.

  • Enable / Disable

  • Mode (Detection / Enforcement) by rule

  • Paranoia levels of rules

Reasons for Using the Positive Security Model

  • As Positive Security is defining application behaviour it can reduce the attack surface by only allowing known good traffic.

  • Positive Security policy can result in better performance. Instead of checking a value against a long list of known attacks, the validation is against a single expression.