Today, websites routinely capture, process, store, and transmit sensitive customer information—such as personal details, credit card numbers, and Social Security data—for both immediate and occasional use.
To guarantee that this will happen safely, organizations had the chance to employ differing types of controls and tools and Web Application Firewall as a Service that permit them to extend their ability to recognize and reply threats to their network.
One of the main challenges in implementing these tools is that they must sit directly in the traffic path so they can inspect each request and decide whether to block it. This adds latency to every request, which can be restrictive for applications that rely on very low-latency responses.
Another major challenge when deploying these tools is the false positive rate—how often they incorrectly identify a normal user as malicious and block their activity. This issue can make selecting and implementing such tools much more difficult than expected.
Blocking Web Application Attacks
To use this model effectively, we must be able to efficiently decide which traffic to scrutinize. This reduces latency for regular users and lowers the chance of false positives affecting them. To achieve this, we need a reliable way to determine which traffic should be placed in an inline mode. This decision can be made in the following ways:
Traffic Routing
Traffic routing decides which parts of the traffic enter in-line mode. In this mode, the WAF analyzes every request and blocks any that it identifies as an internet application attack. This method lets applications with low latency tolerance undergo inspection only when needed. The system adds latency only when it detects a threat and blocks malicious requests. Analysts or automated processes can make routing decisions.
Fingerprint Based Routing
By analyzing traffic in the log-processing component, we can extract fingerprints associated with web application attacks. The system routes only these fingerprints through the WAF service, which adds latency only to suspicious traffic. It creates fingerprints from parts of the request—such as the IP address, customer ID, or User-Agent—or from any combination of these elements. Analysts or automated processes can also add specific patterns that generate new fingerprints.
The log-processing component continually generates fingerprints and stores them in the State Store, enabling the Agent to route the correct traffic to the WAF. Analysts can also trigger this process by marking fingerprints that should always go through WAF inspection.
Net Block-Based Routing
Another traffic-routing option relies on network blocks. Traffic from certain ISPs, hosting providers, or high-risk sources—such as open proxies or TOR—is routed by default to the WAF for inspection. The system achieves this by updating the State Store with the IP netblocks of these providers or network members. This way, the Agent knows to route their traffic to the WAF.
Virtual Patching
For endpoints with known vulnerabilities or higher risk, we enable virtual patching. This ensures the WAF security service inspects every request to these endpoints, not just those flagged as threats. Specific endpoints—or selected parameters that may be vulnerable—are routed to the WAF security service for detailed analysis.
