What are TR7 WAF Modes? What is Learning Mode?

About

What Are the WAF Modes? What Is Learning Mode?

TR7 WAF operates in three main modes: Learning, Monitor, and Blocking.

The first step in effectively deploying TR7 WAF is analyzing application traffic using Learning Mode. This phase allows WAF to understand application behaviors and gather information about page structures and dynamic data. Learning Mode observes suspicious activities to optimize the accuracy of future security rules; during this process, active blocking is not performed, and logs are not kept in the web management interface. A site map of the relevant service is created and used for "Analysis and Learning" afterward. Only traffic is monitored, and potential threats are identified. Learning Mode, which enables the creation of customized security rules, learns the specific traffic of each application, providing the most suitable protection instead of a general security policy. This process allows WAF to continuously update and rapidly adapt to new attack techniques. As a result, TR7 WAF generates dynamic rules that provide high security by correctly understanding the application's traffic flow through Learning Mode, and over time, refines these rules.

Interface

WAF Modes and Learning Mode

Step > 1

First, open the WAF Management screen for the relevant vService. To do this, follow "Monitor Mode > Related vService > WAF Management". Since WAF is first enabled from the vService's edit screen, it is enabled in Learning Mode by default.

The duration of staying in Learning Mode is directly proportional to the traffic received by the relevant service. To generate the most comprehensive and secure site map, all paths on the relevant service must have received requests during the Learning Mode.