This section discusses Positive Security and Learning feature for WAF.
Positive Security rules define allowed application behavior. These rules can be created by the Learning Engine, scanner import or manually. A Positive Security rule will match when the request (or parts of the request) matches the behavior defined in the rules. This is in contrast to Signatures, which detect attack patterns and will match when an attack pattern is found.
Both Positive Security and Signatures allow similar concepts for rules.
Enable / Disable.
Mode (Detection / Enforcement) by rule.
Paranoia levels of rules.
Reasons for Using the Positive Security Model
Since Positive Security defines application behavior, it can reduce the attack surface by only allowing known good traffic.
Positive Security can result in better performance. Instead of checking a value against a long list of known attack vectors using Signatures, the validation is against a single regular expression.