This section discusses Positive Security and Learning feature for WAF.

Positive Security rules define allowed application behavior. These rules can be created by the Learning Engine, through scanner import, or manually. A Positive Security rule will match when the request (or parts of the request) matches the behavior defined in the rules. This is in contrast to Signatures, which detect attack patterns and will match when an attack pattern is found.

Both Positive Security and Signatures allow similar concepts for rules.

• Enable / Disable

• Mode (Detection / Enforcement) by rule

• Paranoia levels of rules

Reasons for Using the Positive Security Model

• Since Positive Security defines application behavior, it can reduce the attack surface by only allowing known (matched) traffic.

• Positive Security can result in better performance. Instead of checking a value against a long list of known attack vectors using Signatures, the validation is against a single regular expression.