PowerSEC's Behavioral WAF is a pattern-inspection layer that runs on top of the standard Firewall. It is off by default and ships with three operating modes designed to roll out safely without breaking your site.
Why three modes?
Web Application Firewalls famously block legitimate traffic ("false positives") if you skip the observation phase. The classic example: an admin who pastes a code snippet containing the word UNION SELECT into a post body and finds the save fails because the WAF flagged it as SQL injection.
PowerSEC defaults to a learning-first workflow so you can collect a false-positive baseline for your specific site before any blocking happens.
Mode 1: Learning (default when WAF is enabled)
- Every request that matches a signature is logged to the WAF block log.
- Nothing is blocked. The site behaves exactly as before.
- A daily analyzer scans the log and surfaces suggested exceptions based on repeated matches by privileged users on the same URL or parameter — typical false-positive patterns.
- Accept suggestions one-click in PowerSEC → Firewall → Behavioral WAF → Learning insights.
Run learning mode for at least 7 days of normal traffic.
Mode 2: Monitor
- Logs everything (same as learning) but does not generate suggestions.
- Use this once your false-positive list is settled and you want a quiet observation period before enforcement.
Mode 3: Block
- Enforces signatures with confidence gating.
- High and medium confidence rules block by default; low confidence rules log only unless you explicitly opt in.
- Block mode is locked until the promotion gate is satisfied: ≥7 days of observation and ≥100 logged matches, OR zero pending false-positive suggestions if the site has low traffic.
- The gate is verified server-side — a request to switch into block mode without it succeeding is rejected.
What if I'm wrong?
Every block writes a row to the block log with the rule, request path, parameter, and IP. If you see a legitimate request was blocked:
- Open PowerSEC → Firewall → Behavioral WAF → View block log.
- Click Mark FP on the row.
- The exact URL path is added to the URL-exception list and the request will pass next time.
You can also fall back to monitor or learning mode at any time by changing the dropdown — the change takes effect immediately.
Comparison with the standard Firewall
The standard Firewall (IP blocking, rate limiting, geo-blocking, basic SQLi/XSS keyword scoring) is always on even when the Behavioral WAF is off. The Behavioral WAF adds a deeper signature library and a confidence model on top — turn it on when you want stronger detection and are ready to manage exceptions.