My experience with WAF has been disappointing. I have had so many false positives that about all I can reliably enforce is Site Path Routing. I have found no documentation that provides "hints and tricks" to minimize problems and maximize success. Level 1 support simply advises that if a feature causes problems, turn it off.
During the sales cycle, Forms Hardening seemed conceptually easy to implement with full transparency. WAF simply needs to ensure that the returned form has the same field names as the one sent out, that the max_length parameter is observed on all returned fields, and that the returned character set is consistent with the requested character set. In practice, I have never had a site which did not throw Form Hardening errors.
Form Hardening and Cookie Hardening have to be used together, so Cookie Hardening fails because Form Hardening fails.
Strict rules throw false positives so I add them to the ignore list without really understanding the implications of the exception, then I hit a wall because I have what appears to be a false positive on an infrastructure rule which should never be disabled. So instead I disable Strict Rules.
Bad Client checking uses the email RBLs. The email RBLs include residential IP addresses in their blocklists because residential users on dynamic IPs should not be running mail servers (but might be running mail-sending malware). I don't want to abandon those RBLs for email protection, so I have turned Bad Client checking off for WAF protection. (One person in this forum points out the Bad Client checking can be enabled without the RBL lookup, which performs some undocumented filtering based on GEO-IP.)
Of course, it is difficult to know during testing whether the tests have been extensive enough to expose all of the needed WAF exceptions. Once the site is in production, it is extremely difficult to know whether a log entry represents a false positive or not. The logs are obscure, but even after studying them carefully, it seems impossible to know how to respond to them.
Has anyone figured out how to make Form Hardening work, or figured out whether certain development practices that can either cause it to fail or allow it to succeed?
Do we even know whether WAF supports both HTML4 and HTML5? Are there different limitations based on the HTML version?
Does anyone have any advice for making the other features useful?