Skip to content

What Should be Done After Learning Mode in TR7 WAF? What is the Analysis Process and What Should be Considered While Doing It?

About

Post-Learning Analysis Process and Site Map

The analysis process is a critical phase following TR7 WAF's Learning Mode, during which the traffic structure of the application is examined in detail to generate a comprehensive site map. In this process, various filtering and control mechanisms are used to analyze traffic and identify security weaknesses. The goal is to create a clean and reliable site map by eliminating unnecessary or malicious traffic. As a result of the analysis, rules are created for specific paths.

Interface

Analysis Process

Step > 1

Open the WAF Management screen of the related vService that has completed the Learning phase. Follow the steps "Monitor Mode > Related vService > WAF Management".

Step > 2

Click the "Analysis and Learning" button for the related Host Group to access the pre-analysis configuration screen. The goal of this screen is to customize the filtering process to ensure that all previously made requests to the service are filtered as cleanly as possible and to build a reliable site map.

The main analysis criteria used at this stage are:

  • Analyze Date: Select the time range for analysis.

  • Ignore old rules: Decide whether to merge or overwrite the analyzed rules with existing ones.

  • Rule Creating Mode: Choose from Comprehensive, Data Based, or Page Independent depending on the structure of the web service.

    With Comprehensive, all HTTP methods are considered unauthorized by default. Unless a new path definition is made on the default rules, all requests are blocked by WAF. Each path is individually learned and specific rules are created. Any request to an unknown path will be blocked.

    With Data Based, GET and HEAD methods are allowed under the "Any paths" rule, but data-sending methods like POST are not. If there is a POST request, a query parameter, or data in the raw body such as XML or JSON, all such pages are individually learned. Requests are allowed only within the scope of learned rules. For example, if a request is made to "photo.jpeg", it is allowed with a GET method. However, if query parameters are added to that request and it hasn’t been learned, WAF blocks it.

    Page Independent mode is used when there is little known about the service to be protected (paths, request methods, variables, etc.). It provides OWASP-based protection without path-specific learning and uses the "Any paths" rule.

  • Country Filter: Filter traffic based on the source country. Only traffic from permitted countries is accepted.

  • Only Domains: Only requests with a domain name are included in the analysis. IP-based scans or attacks are excluded.

  • Only Browsers: Analyze user agent headers to exclude suspicious or incompatible browsers and clients.

  • Skip Blacklist IPs: Exclude blacklisted IPs from analysis.

  • Status Code Filter: Include only requests with selected HTTP status codes in the analysis. Unexpected codes like excessive 404 or 500 are excluded.

  • Bot Filter: Apply advanced algorithms to detect and exclude malicious bots, focusing the analysis only on real user traffic.

  • Source IP Filter: Filter based on the source IP address.

  • Host Filter: Filter based on the host header.

Filters can be set to "no filter", "use selected", or "eliminate selected" depending on requirements.

Step > 3

Click the "Start Analyzing" button to begin the analysis.

The analysis will begin, and the site map will be generated accordingly.