topic Re: Genai and learning mode question in WAF

Genai and learning mode question

Christoph — Thu, 07 Aug 2025 07:57:13 GMT

Hello,

yesterday I enabled Tech Preview mode to check out a finding and turned it off after again.

Today I discovered a "Genai" rule option in the rule base. Idk if it's related to the enable/disable of the tech preview mode.

The rule builder itself look the same and I have no idea where to put my natural language (uri regex i.e.?). I cannot find any information about this. Is this documented anywhere?

Second question. I had some SQL injections in a password field yesterday. One of them was a "legit" password matching an SQL injection (partly, mostly a false positive) and two were SQL injections by myself to confirm the previous finding.

Today I got the question, whether these 3 are malicious or benign requests, grouped together. Lets assume the first SQL injection was benign, the later malicious.
What should I answer, as I cannot split them up or should I not answer at all?
What are the consequences of flagging a malicious request as benign, in the short/medium/long term for the MLM?

Cheers

Christoph

Re: Genai and learning mode question

_Val_ — Mon, 11 Aug 2025 07:21:32 GMT

Did you try documentation? https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/SaaS-Admin-Guide/Content/Topics-SaaS-AG/GenAI-Protect-Dashboard.htm

Re: Genai and learning mode question

Christoph — Mon, 11 Aug 2025 08:32:09 GMT

Hello Val,

I actually did.
"Genai Protect" in the Harmony SaaS Administration Guide, as a preventive measure to regulate the usage of AI in the corporate environment is more or less a DLP solution.

"Genai protection" in the Cloudguard WAF says define a custom rule in natural language and presents the standard rule options.

The Cloud Guard WAF documentation has the Genai protection, as of now, not listed. Only the following options are available:

Documentation Overview | CloudGuard WAF

Accept - Traffic matching the exception's conditions will be accepted.
Drop - Traffic matching the exception's conditions will be blocked.
Skip - Relevant only for specific keys like "Parameter Name", "Parameter Value" and "Indicator". Allows skipping the value of the matching parameter from being inspected by the CloudGuard WAF engines. The rest of the traffic will be inspected for malicious behavior. Skip action is not supported with Scheme Validation.
Suppress Log - Traffic matching the exception's condition will not activate their Log Trigger object/s upon event.

Re: Genai and learning mode question

_Val_ — Mon, 11 Aug 2025 10:09:14 GMT

What about the link I provided you with?

Re: Genai and learning mode question

Christoph — Mon, 11 Aug 2025 10:10:56 GMT

I cannot find any information related to the Web Application Firewall in your link.

Re: Genai and learning mode question

_Val_ — Mon, 11 Aug 2025 10:31:14 GMT

Gotcha. Let me see what I can dig out