Negative or Positive Security

The Positive Security model starts with the approach of “block everything” in the start and what you allow is positive. (define what is good)

A negative security model Is completely opposite to the positive security model, here in negative security model “allow everything” in the beginning and then further constructed by blocking functions based on Known previous attacks and unwanted content and behaviors. (define what a threat is and allow everything else)

I think the best approach is positive and negative, for example ASM signatures in blocking mode and policy in learning mode.

Signature Staging

When you first activate a security policy, the system puts the attack signatures into staging (if staging is enabled for the security policy). Staging means that the system applies the attack signatures to the web application traffic, but does not apply the blocking policy action to requests that trigger those attack signatures. The default staging period is seven days.

Whenever you add or change signatures in assigned sets, those are also put into staging. You also have the option of putting updated signatures in staging.

Placing new and updated attack signatures in staging helps to reduce the number of violations triggered by false-positive matches. When signatures match attack patterns during the staging period, the system generates learning suggestions. From Manual Traffic Learning, if you see that an attack signature violation has occurred, you can view these attack signatures from the Attack Signature Detected screen.

Upon evaluation, if the signature is a false-positive, you can disable the signature, and the system no longer applies that signature to traffic for the corresponding web application. Alternately, if the detected signature match is legitimate, you can enable the corresponding attack signature. Note that enabling the signature removes it from staging, and puts the blocking policy into effect.