I was wondering if anyone knows of any length of time that Passive Mode should be turned on? I have scoured admin guides, best practice guides, etc. and cannot seem to locate a recommended timeframe for a newly deployed site to run in passive/learning mode prior to going active. A follow up question I have is once all this data is ingested and patterns are identified by passive mode, how is that data handled by the appliance? Is it possible that malicious traffic (if witnessed often enough) could be considered permissible traffic? I just want to make sure that we're deploying new sites according to best practices and better understand the way that passive mode acquires and analyzes data going forward.
We're running 660 WAFs with the latest firmware 9.0.0.x
Thanks In Advance!