A web application firewall or WAF may be software, hardware, firmware, or combination that may serve as an appliance, server “plugin”, or filter. A WAF may be implemented over one or more devices. WAFs are used to apply a set of rules to a conversation or transaction, such as a hypertext transfer protocol or HTTP conversation. Examples of a WAF's use includes preventing attacks (i.e., web attacks), such as cross-site scripting, SQL injection, and the like.
A WAF may be implemented with various platforms, including what is known as a Software as a Service or SaaS platform. A SaaS platform may be used in cloud computing. Typical WAFs implemented on such platforms may have several shortcomings. A platform, such as SaaS, serves multiple tenants or clients. When a WAF is applied, all tenants or clients that are part of or within the environment are protected with the same rules. However, the same rules may not all apply to all tenants or clients. Because different tenants may contain different types of data and feature usages, one rule that works for a tenant may not work well for other tenants or clients. Applying the same rules may lead to issues or problems such as a high rate of false positives that may falsely block normal or expected traffic.
There may be difficulty in applying customized rules to all tenants or clients. Function impact for a WAF or WAFs may not controllable. It may not be possible to selectively turn a rule on/off for a specific tenant or client. In addition, prevention action may not be customizable. For a specific attack, it may not be possible to define a different option for different tenants. This limits the usability of the WAF. Compromises may have to be made, such as the inability to run in active mode in a production environment. For example, implementations using particular software applications may have to run in passive mode. Running in passive mode may not block traffic, defeating the purpose of a firewall.