The Silverline SOC keeps talking about "tuning" my Web Application Firewall (WAF) Policies?
- What does "tuning" a WAF Policy mean?
- When do we want to tune a policy, what does the SOC do vs. what am I expected to do?
- Silverline WAF
What is "Tuning" a WAF Policy?
“Tuning” is the process of monitoring and adjusting WAF policies so that they are blocking malicious traffic without generating a lot of false positives.
When a new WAF policy is created, the default mode for all the blocking modules is Transparent mode, also known as Learning mode. In Transparent mode, the Silverline Portal logs every policy violation, while the WAF policy allows all the traffic to traverse the proxy unblocked. The customer and the SOC review the violations and determine if the number of false positives is low enough to move the policy into a particular phase of blocking. If not, the policy requires further observation and adjustments in Transparent mode.
Once the policy is moved into Blocking mode, any traffic that causes a policy violation is blocked as well as logged. Customers can request the movement of a policy back to Transparent mode from Blocking, though this is not typical.
For more information on the Tuning process, review:
- WAF Setup: Onboarding and Implementation Plan
- WAF Setup: Blocking Phases
- How to Create WAF Violation Assessments
When we want to tune a policy, what does the SOC do and what am I expected to do?
At Silverline, the WAF Policy tuning process is a partnership between the SOC and the customer (you).
- The SOC provides their expertise, recommendations, and assistance.
- The customer ultimately decide what is allowed or not allowed into their network environment.
- If you can afford to block some legitimate traffic, you can move modules very aggressively through the blocking phases.
- If you want to observe traffic in Transparent mode for a few weeks or even months, we can do that.
When you're ready to tune a policy, submit a WAF Violation Assessment: How to Create WAF Violation Assessments