Reference: WAF Policy Builder

After you create a security policy and begin sending traffic to the application, the Policy Builder provides learning suggestions concerning additions to the security policy based on the traffic it sees.

For more information about Policy Builder, see Overview: WAF Policy Builder.

Policy Builder settings

The following settings are provided to enable and customize Policy Builder for a WAF policy.

Learning Mode - Determines how WAF handles policy building:

  • Automatic - Accepts learning suggestions once they reach 100%, or when you manually accept the suggestion.

  • Manual - Requires that you manually accept any suggestion.

  • Disabled - Deactivates learning.

Learning Speed - Policy Builder applies traffic sampling to create suggestions. The learning speed impacts the number of samples used to create a suggestion and suggestion accuracy:

  • Fast - Samples a low volume of traffic to generate a suggestion. This is recommended for the following applications:

    • The application requires a quick, customized policy with low security.

    • The application has a low traffic volume.

    • The application is at low risk of attack (a closed or staged environment, limited access, etc.).

  • Medium (Default) - Samples a moderate volume of traffic to generate a suggestion. Recommended for most applications.

  • Slow - Samples a high volume of traffic to generate a suggestion. Recommended for the following applications:

    • Strict application security is required.

    • The application has a high number of unique client requests per day.

    • The application’s environment is likely to be attacked during the learning period.

Readiness Period (Days) - Configures the number of days security policy entities and attack signatures remain in staging before they can become enforced. If entities are in Always mode, this also impacts the number of days a WAF policy learns explicit entities that match wildcard entities before they are eligible to become enforced.

Suggestion Actions

  • Accept Options - Not all options are available for all suggestions. Unsupported options for a suggestion are not selectable. For example, the Accept and Stage option is only available for policy entities that support staging, such as signatures and URLs.

    • Accept - Modifies the policy by taking the suggested action, such as adding an entity that is legitimate.

    • Accept & Stage - Modifies the policy by taking the suggested action place the related entities (file types, URLs, parameters, cookies, or redirection domains) into staging until they are ready to be enforced.

    • Accept Globally - Modifies the policy by taking the suggested action and globally adds the suggestion at the policy level.

  • Delete - The system removes the learning suggestion from the list, but the suggestion reoccurs if new traffic triggers the same suggestion. The learning score of the suggestion starts over from zero on a renewed suggestion.

  • Ignore - The system does not change the policy and stops showing this suggestion now and in the future. You can view ignored suggestions by filtering the status on the Learning Suggestions list.