Tuning WAF Anomaly Scoring Thresholds and Paranoia Level
Application: Any web-based application.
I was wondering what is the best practice or what is suggested: keeping a medium Anomaly Score threshold but raising the blocking Paranoia Level or lowering the blocking Paranoia Level but keeping a low Anomaly Score threshold altogether?
|Steps to Reproduce:|
|Cause:||The need to tune WAF Anomaly Scoring Threshold and Paranoia Level to suit the needs of the environment.|
We have no recommendation for these settings, as these need to be tuned to the requirements of the environment.
We recommend starting out with an Anomaly Score of 10000 within Virtual Services > View/Modify Services > modify the desired VS > WAF. The Anomaly Score of 10000 will allow all traffic to be audited instead of blocked. By auditing what's received in the LoadMaster's logs (System Configuration > Logging Options > System Log Files > WAF Event Logs), clients can be tuned to better conform to an environment. Note, if the WAF Event Logs are not here, no events have been generated yet.
The Paranoia Level is also preferential, as they determine what level of rules are triggered. Most customers are satisfied with Paranoia Level 1, but institutions that require elevated security, such as governments or banks, may find that Paranoia Level 2 suits their needs better. Paranoia Levels can be audited by navigating to the Advanced Settings of WAF and elevating the Executing Level to 2 (or 3 or 4). This will allow the audit of the elevated Paranoia Level. To actually put the elevated Paranoia Level into place, elevate the Blocking Level to match the Executing Level.