The four-step security lifecycle is critical during firewall installation: secure, monitor, test and improve. This...
is a continuous process that loops back on itself in a persistent cycle of protection. Before any device is connected to your network, make sure that you have documented the network infrastructure and hardened the device or the box it will run on. This means applying patches as well as taking the time to configure the device for increased security.
The business rules that you've set in your security policy, such as allowed character sets, will determine how the firewall is configured. If you approach WAF configuration this way, the rules and filters will define themselves. Web application firewalls can expose technical problems within a network or application, such as false positive alerts or a traffic bottleneck.
Careful testing is essential, particularly if your site makes use of unusual headers, URLs or cookies, or specific content that does not conform to Web standards. Additional testing time should be allowed for if you are running multi-language versions of an application, since it may have to handle different character sets.
The testing should match the "live" application environment as closely as possible. This approach will help expose any system integration issues the Web application firewall may cause prior to deployment. Stress testing the WAF using tools such as Microsoft's Web Application Stress and Capacity Analysis Tools or AppPerfect Load Tester will also help reveal any bottlenecks caused by the positioning of the WAF.
For more on Web application firewall selection and deployment
Understanding your Web application firewall (WAF) product options
Comparing Web application firewall (WAF) security features
Web application firewall implementation: Software vs. hardware
How to deploy a Web application firewall (WAF)
Web application firewall (WAF) management