We are migrating some of our sites from an F5 ASM to Cloudflare WAF. In F5 we implement “positive security” meaning we allow only access to URLs that should be permitted to users, and block everything else. We develop this list based on F5 ASM’s learning mode.
Cloudlfare WAF does not seem to have an equivalent learning mode. Therefore I can only surmise that we will require a complete list of URLs from the application team to implement in the Cloudflare WAF manually in a “if request URL does not equal URL_n then block” type of rule.
Has anyone come across a similar challenge and resolved it any other way? Is there a cloudflare tool I am not aware of that could help here?