diff --git a/docs/4.10/installation/api-gateways/layer7-api-gateway.md b/docs/4.10/installation/api-gateways/layer7-api-gateway.md
index aa3a6935f..3bd750a67 100644
--- a/docs/4.10/installation/api-gateways/layer7-api-gateway.md
+++ b/docs/4.10/installation/api-gateways/layer7-api-gateway.md
@@ -17,7 +17,7 @@ Among all supported [Wallarm deployment options](../supported-deployment-options
## Limitations
-The Layer7 API Gateways integration supports only the out-of-band traffic analysis, be aware that this method has certain limitations, which also apply to the policy. More details can be found at the provided [link](../oob/overview.md#advantages-and-limitations).
+The Layer7 API Gateways integration supports only the out-of-band traffic analysis, be aware that this method has certain limitations, which also apply to the policy. More details can be found at the provided [link](../oob/overview.md#limitations).
## Requirements
diff --git a/docs/4.10/installation/cloud-platforms/aws/ami.md b/docs/4.10/installation/cloud-platforms/aws/ami.md
index 97f32570f..974022a9c 100644
--- a/docs/4.10/installation/cloud-platforms/aws/ami.md
+++ b/docs/4.10/installation/cloud-platforms/aws/ami.md
@@ -22,7 +22,7 @@
[allocate-memory-docs]: ../../../admin-en/configuration-guides/allocate-resources-for-node.md
[limiting-request-processing]: ../../../user-guides/rules/configure-overlimit-res-detection.md
[logs-docs]: ../../../admin-en/configure-logging.md
-[oob-advantages-limitations]: ../../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../../oob/overview.md#limitations
[wallarm-mode]: ../../../admin-en/configure-wallarm-mode.md
[inline-docs]: ../../inline/overview.md
[oob-docs]: ../../oob/overview.md
diff --git a/docs/4.10/installation/cloud-platforms/gcp/machine-image.md b/docs/4.10/installation/cloud-platforms/gcp/machine-image.md
index 1b9ec054b..b2cb0e191 100644
--- a/docs/4.10/installation/cloud-platforms/gcp/machine-image.md
+++ b/docs/4.10/installation/cloud-platforms/gcp/machine-image.md
@@ -18,7 +18,7 @@
[allocate-memory-docs]: ../../../admin-en/configuration-guides/allocate-resources-for-node.md
[limiting-request-processing]: ../../../user-guides/rules/configure-overlimit-res-detection.md
[logs-docs]: ../../../admin-en/configure-logging.md
-[oob-advantages-limitations]: ../../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../../oob/overview.md#limitations
[wallarm-mode]: ../../../admin-en/configure-wallarm-mode.md
[inline-docs]: ../../inline/overview.md
[oob-docs]: ../../oob/overview.md
diff --git a/docs/4.10/installation/nginx/all-in-one.md b/docs/4.10/installation/nginx/all-in-one.md
index 68983e9b3..bc1030525 100644
--- a/docs/4.10/installation/nginx/all-in-one.md
+++ b/docs/4.10/installation/nginx/all-in-one.md
@@ -25,7 +25,7 @@
[platform]: ../supported-deployment-options.md
[inline-docs]: ../inline/overview.md
[oob-docs]: ../oob/overview.md
-[oob-advantages-limitations]: ../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../oob/overview.md#limitations
[web-server-mirroring-examples]: ../oob/web-server-mirroring/overview.md#configuration-examples-for-traffic-mirroring
[img-grouped-nodes]: ../../images/user-guides/nodes/grouped-nodes.png
[wallarm-token-types]: ../../user-guides/nodes/nodes.md#api-and-node-tokens-for-node-creation
diff --git a/docs/4.10/installation/oob/ebpf/deployment.md b/docs/4.10/installation/oob/ebpf/deployment.md
index a0ebd8594..32a0ad6f1 100644
--- a/docs/4.10/installation/oob/ebpf/deployment.md
+++ b/docs/4.10/installation/oob/ebpf/deployment.md
@@ -198,12 +198,14 @@ To test that the Wallarm eBPF operates correctly:
## Limitations
-* The solution does not instantly block malicious requests since traffic analysis proceeds irrespective of actual traffic flow.
+* Due to its out-of-band (OOB) operation, which analyzes traffic independently from actual flow, the solution has several inherent limitations:
- Wallarm only observes attacks and provides you with the [details in Wallarm Console](../../..//user-guides/events/analyze-attack.md).
+ * It does not instantly block malicious requests. Wallarm only observes attacks and provides you with the [details in Wallarm Console](../../../user-guides/events/analyze-attack.md).
+ * [Rate limiting](../../../user-guides/rules/rate-limiting.md) is not supported as it is impossible to limit load on target servers.
+ * [Filtering by IP addresses](../../../user-guides/ip-lists/overview.md) is not supported.
* As server response bodies are not mirrored:
- * Vulnerability detection based on [passive detection](../../../about-wallarm/detecting-vulnerabilities.md#passive-detection) is not supported
- * Displaying API endpoint [response structure in API Discovery](../../../api-discovery/exploring.md#endpoint-details) is not supported
+ * Vulnerability detection based on [passive detection](../../../about-wallarm/detecting-vulnerabilities.md#passive-detection) is not supported.
+ * Displaying API endpoint [response structure in API Discovery](../../../api-discovery/exploring.md#endpoint-details) is not supported.
* While the solution is in beta, not all Kubernetes resources can be mirrored effectively. Therefore, we recommend enabling traffic mirroring specifically for NGINX Ingress controllers, Kong Ingress controllers, or regular NGINX servers in Kubernetes.
diff --git a/docs/4.10/installation/oob/overview.md b/docs/4.10/installation/oob/overview.md
index 312ba6a00..a91d43e5e 100644
--- a/docs/4.10/installation/oob/overview.md
+++ b/docs/4.10/installation/oob/overview.md
@@ -18,29 +18,29 @@ The diagram below provides a visual representation of the general traffic flow i
-## Advantages and limitations
+## Advantages
The OOB approach to the Wallarm deployment offers several advantages over other deployment methods, such as in-line deployments:
* It does not introduce latency or other performance issues that can occur when the security solution operates in-line with the primary data path.
* It provides flexibility and ease of deployment, as the solution can be added or removed from the network without affecting the primary data path.
-Despite the OOB deployment approach safety, it has some limitations:
+## Limitations
-* Wallarm does not instantly block malicious requests since traffic analysis proceeds irrespective of actual traffic flow.
+Despite the OOB deployment approach safety, it has some limitations. The table below details the limitations associated with various deployment options:
- Wallarm only observes attacks and provides you with the [details in Wallarm Console](../..//user-guides/events/analyze-attack.md).
-* Vulnerability discovery using the [passive detection](../../about-wallarm/detecting-vulnerabilities.md#passive-detection) method does not function properly. The solution determines if an API is vulnerable or not based on server responses to malicious requests that are typical for the vulnerabilities it tests.
-* The [Wallarm API Discovery](../../api-discovery/overview.md) does not explore API inventory based on your traffic as server responses required for the module operation are not mirrored.
-
- An exception is the [eBPF](ebpf/deployment.md) solution, which conducts API inventory discovery by analyzing response codes.
-* The [protection against forced browsing](../../admin-en/configuration-guides/protecting-against-bruteforce.md) is not available since it requires response code analysis which is currently not feasible.
-
- An exception is the [eBPF](ebpf/deployment.md) solution, which analyzes response codes, making it suitable for this purpose.
+| Feature | [eBPF](ebpf/deployment.md) | | [Web server mirror](web-server-mirroring/overview.md) |
+| --- | --- | --- | --- |
+| Instant blocking of malicious requests | - | - |
+| Vulnerability discovery using the [passive detection](../../about-wallarm/detecting-vulnerabilities.md#passive-detection) | - | - |
+| [API Discovery](../../api-discovery/overview.md) | + (excludes response structure) | - |
+| [Protection against forced browsing](../../admin-en/configuration-guides/protecting-against-bruteforce.md) | + | - |
+| [Rate limiting](../../user-guides/rules/rate-limiting.md) | - | - |
+| [IP lists](../../user-guides/ip-lists/overview.md) | - | - |
## Supported deployment options
Wallarm offers the following Out-of-Band (OOB) deployment options:
-* Many available Wallarm artifacts can be used to [deploy Wallarm for analyzing traffic mirrored by services like NGINX, Envoy, Istio, etc.](web-server-mirroring/overview.md) These services typically offer built-in features for traffic mirroring, and Wallarm artifacts are well-suited for analyzing traffic mirrored by such solutions.
* [eBPF-based solution](ebpf/deployment.md)
+* Many available Wallarm artifacts can be used to [deploy Wallarm for analyzing traffic mirrored by services like NGINX, Envoy, Istio, etc.](web-server-mirroring/overview.md) These services typically offer built-in features for traffic mirroring, and Wallarm artifacts are well-suited for analyzing traffic mirrored by such solutions.
diff --git a/docs/4.10/installation/oob/web-server-mirroring/aws-ami.md b/docs/4.10/installation/oob/web-server-mirroring/aws-ami.md
index 5b7e4c5eb..6b57e8df7 100644
--- a/docs/4.10/installation/oob/web-server-mirroring/aws-ami.md
+++ b/docs/4.10/installation/oob/web-server-mirroring/aws-ami.md
@@ -27,7 +27,7 @@ search:
[allocate-memory-docs]: ../../../admin-en/configuration-guides/allocate-resources-for-node.md
[limiting-request-processing]: ../../../user-guides/rules/configure-overlimit-res-detection.md
[logs-docs]: ../../../admin-en/configure-logging.md
-[oob-advantages-limitations]: ../overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../overview.md#limitations
[wallarm-mode]: ../../../admin-en/configure-wallarm-mode.md
[wallarm-api-via-proxy]: ../../../admin-en/configuration-guides/access-to-wallarm-api-via-proxy.md
[img-grouped-nodes]: ../../../images/user-guides/nodes/grouped-nodes.png
diff --git a/docs/4.10/installation/oob/web-server-mirroring/docker-image.md b/docs/4.10/installation/oob/web-server-mirroring/docker-image.md
index f2b8da2ea..aa9773ef2 100644
--- a/docs/4.10/installation/oob/web-server-mirroring/docker-image.md
+++ b/docs/4.10/installation/oob/web-server-mirroring/docker-image.md
@@ -23,7 +23,7 @@ search:
[api-token]: ../../../user-guides/settings/api-tokens.md
[wallarm-token-types]: ../../../user-guides/nodes/nodes.md#api-and-node-tokens-for-node-creation
[platform]: ../../supported-deployment-options.md
-[oob-advantages-limitations]: ../overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../overview.md#limitations
[web-server-mirroring-examples]: overview.md#configuration-examples-for-traffic-mirroring
[memory-instr]: ../../../admin-en/configuration-guides/allocate-resources-for-node.md
[ip-lists-docs]: ../../../user-guides/ip-lists/overview.md
diff --git a/docs/4.10/installation/oob/web-server-mirroring/gcp-machine-image.md b/docs/4.10/installation/oob/web-server-mirroring/gcp-machine-image.md
index 98a6fad4a..1e5070079 100644
--- a/docs/4.10/installation/oob/web-server-mirroring/gcp-machine-image.md
+++ b/docs/4.10/installation/oob/web-server-mirroring/gcp-machine-image.md
@@ -22,7 +22,7 @@ search:
[allocate-memory-docs]: ../../../admin-en/configuration-guides/allocate-resources-for-node.md
[limiting-request-processing]: ../../../user-guides/rules/configure-overlimit-res-detection.md
[logs-docs]: ../../../admin-en/configure-logging.md
-[oob-advantages-limitations]: ../overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../overview.md#limitations
[wallarm-mode]: ../../../admin-en/configure-wallarm-mode.md
[wallarm-api-via-proxy]: ../../../admin-en/configuration-guides/access-to-wallarm-api-via-proxy.md
[img-grouped-nodes]: ../../../images/user-guides/nodes/grouped-nodes.png
diff --git a/docs/4.10/installation/oob/web-server-mirroring/linux/all-in-one.md b/docs/4.10/installation/oob/web-server-mirroring/linux/all-in-one.md
index 243e4a38b..dca4f74e0 100644
--- a/docs/4.10/installation/oob/web-server-mirroring/linux/all-in-one.md
+++ b/docs/4.10/installation/oob/web-server-mirroring/linux/all-in-one.md
@@ -31,7 +31,7 @@ search:
[img-grouped-nodes]: ../../../../images/user-guides/nodes/grouped-nodes.png
[wallarm-token-types]: ../../../../user-guides/nodes/nodes.md#api-and-node-tokens-for-node-creation
[ip-lists-docs]: ../../../../user-guides/ip-lists/overview.md
-[oob-advantages-limitations]: ../../../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../../../oob/overview.md#limitations
[web-server-mirroring-examples]: ../../../oob/web-server-mirroring/overview.md#configuration-examples-for-traffic-mirroring
[download-aio-step]: #step-3-download-all-in-one-wallarm-installer
[enable-traffic-analysis-step]: #step-5-enable-wallarm-node-to-analyze-traffic
diff --git a/docs/4.10/installation/packages/aws-ami.md b/docs/4.10/installation/packages/aws-ami.md
index 1f9f28739..889c98057 100644
--- a/docs/4.10/installation/packages/aws-ami.md
+++ b/docs/4.10/installation/packages/aws-ami.md
@@ -27,7 +27,7 @@ search:
[allocate-memory-docs]: ../../admin-en/configuration-guides/allocate-resources-for-node.md
[limiting-request-processing]: ../../user-guides/rules/configure-overlimit-res-detection.md
[logs-docs]: ../../admin-en/configure-logging.md
-[oob-advantages-limitations]: ../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../oob/overview.md#limitations
[wallarm-mode]: ../../admin-en/configure-wallarm-mode.md
[inline-docs]: ../inline/overview.md
[oob-docs]: ../oob/overview.md
diff --git a/docs/4.10/installation/packages/gcp-machine-image.md b/docs/4.10/installation/packages/gcp-machine-image.md
index 4aaa5368b..012044459 100644
--- a/docs/4.10/installation/packages/gcp-machine-image.md
+++ b/docs/4.10/installation/packages/gcp-machine-image.md
@@ -22,7 +22,7 @@ search:
[allocate-memory-docs]: ../../admin-en/configuration-guides/allocate-resources-for-node.md
[limiting-request-processing]: ../../user-guides/rules/configure-overlimit-res-detection.md
[logs-docs]: ../../admin-en/configure-logging.md
-[oob-advantages-limitations]: ../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../oob/overview.md#limitations
[wallarm-mode]: ../../admin-en/configure-wallarm-mode.md
[inline-docs]: ../inline/overview.md
[oob-docs]: ../oob/overview.md
diff --git a/docs/5.0/installation/nginx/all-in-one.md b/docs/5.0/installation/nginx/all-in-one.md
index 5fc57aefe..47fa86a10 100644
--- a/docs/5.0/installation/nginx/all-in-one.md
+++ b/docs/5.0/installation/nginx/all-in-one.md
@@ -24,7 +24,7 @@
[api-token]: ../../user-guides/settings/api-tokens.md
[platform]: ../supported-deployment-options.md
[oob-docs]: ../oob/overview.md
-[oob-advantages-limitations]: ../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../oob/overview.md#limitations
[web-server-mirroring-examples]: ../oob/web-server-mirroring/overview.md#configuration-examples-for-traffic-mirroring
[img-grouped-nodes]: ../../images/user-guides/nodes/grouped-nodes.png
[wallarm-token-types]: ../../user-guides/nodes/nodes.md#api-and-node-tokens-for-node-creation
diff --git a/docs/5.0/installation/oob/tcp-traffic-mirror/configuration.md b/docs/5.0/installation/oob/tcp-traffic-mirror/configuration.md
new file mode 100644
index 000000000..050d98ef3
--- /dev/null
+++ b/docs/5.0/installation/oob/tcp-traffic-mirror/configuration.md
@@ -0,0 +1 @@
+--8<-- "latest/installation/oob/tcp-traffic-mirror/configuration.md"
\ No newline at end of file
diff --git a/docs/5.0/installation/oob/tcp-traffic-mirror/deployment.md b/docs/5.0/installation/oob/tcp-traffic-mirror/deployment.md
new file mode 100644
index 000000000..a65c92e39
--- /dev/null
+++ b/docs/5.0/installation/oob/tcp-traffic-mirror/deployment.md
@@ -0,0 +1 @@
+--8<-- "latest/installation/oob/tcp-traffic-mirror/deployment.md"
\ No newline at end of file
diff --git a/docs/5.0/installation/oob/web-server-mirroring/aws-ami.md b/docs/5.0/installation/oob/web-server-mirroring/aws-ami.md
index 2415f8f3e..638eacc94 100644
--- a/docs/5.0/installation/oob/web-server-mirroring/aws-ami.md
+++ b/docs/5.0/installation/oob/web-server-mirroring/aws-ami.md
@@ -27,7 +27,7 @@ search:
[allocate-memory-docs]: ../../../admin-en/configuration-guides/allocate-resources-for-node.md
[limiting-request-processing]: ../../../user-guides/rules/configure-overlimit-res-detection.md
[logs-docs]: ../../../admin-en/configure-logging.md
-[oob-advantages-limitations]: ../overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../overview.md#limitations
[wallarm-mode]: ../../../admin-en/configure-wallarm-mode.md
[wallarm-api-via-proxy]: ../../../admin-en/configuration-guides/access-to-wallarm-api-via-proxy.md
[img-grouped-nodes]: ../../../images/user-guides/nodes/grouped-nodes.png
diff --git a/docs/5.0/installation/oob/web-server-mirroring/docker-image.md b/docs/5.0/installation/oob/web-server-mirroring/docker-image.md
index d9e9e8a63..37c6c95ce 100644
--- a/docs/5.0/installation/oob/web-server-mirroring/docker-image.md
+++ b/docs/5.0/installation/oob/web-server-mirroring/docker-image.md
@@ -23,7 +23,7 @@ search:
[api-token]: ../../../user-guides/settings/api-tokens.md
[wallarm-token-types]: ../../../user-guides/nodes/nodes.md#api-and-node-tokens-for-node-creation
[platform]: ../../supported-deployment-options.md
-[oob-advantages-limitations]: ../overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../overview.md#limitations
[web-server-mirroring-examples]: overview.md#configuration-examples-for-traffic-mirroring
[memory-instr]: ../../../admin-en/configuration-guides/allocate-resources-for-node.md
[ip-lists-docs]: ../../../user-guides/ip-lists/overview.md
diff --git a/docs/5.0/installation/oob/web-server-mirroring/gcp-machine-image.md b/docs/5.0/installation/oob/web-server-mirroring/gcp-machine-image.md
index ce7e9a0e3..17e2c1f0e 100644
--- a/docs/5.0/installation/oob/web-server-mirroring/gcp-machine-image.md
+++ b/docs/5.0/installation/oob/web-server-mirroring/gcp-machine-image.md
@@ -22,7 +22,7 @@ search:
[allocate-memory-docs]: ../../../admin-en/configuration-guides/allocate-resources-for-node.md
[limiting-request-processing]: ../../../user-guides/rules/configure-overlimit-res-detection.md
[logs-docs]: ../../../admin-en/configure-logging.md
-[oob-advantages-limitations]: ../overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../overview.md#limitations
[wallarm-mode]: ../../../admin-en/configure-wallarm-mode.md
[wallarm-api-via-proxy]: ../../../admin-en/configuration-guides/access-to-wallarm-api-via-proxy.md
[img-grouped-nodes]: ../../../images/user-guides/nodes/grouped-nodes.png
diff --git a/docs/5.0/installation/packages/aws-ami.md b/docs/5.0/installation/packages/aws-ami.md
index 884564631..863f73472 100644
--- a/docs/5.0/installation/packages/aws-ami.md
+++ b/docs/5.0/installation/packages/aws-ami.md
@@ -27,7 +27,7 @@ search:
[allocate-memory-docs]: ../../admin-en/configuration-guides/allocate-resources-for-node.md
[limiting-request-processing]: ../../user-guides/rules/configure-overlimit-res-detection.md
[logs-docs]: ../../admin-en/configure-logging.md
-[oob-advantages-limitations]: ../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../oob/overview.md#limitations
[wallarm-mode]: ../../admin-en/configure-wallarm-mode.md
[oob-docs]: ../oob/overview.md
[wallarm-api-via-proxy]: ../../admin-en/configuration-guides/access-to-wallarm-api-via-proxy.md
diff --git a/docs/5.0/installation/packages/gcp-machine-image.md b/docs/5.0/installation/packages/gcp-machine-image.md
index 7172b8c0f..0a9fe713f 100644
--- a/docs/5.0/installation/packages/gcp-machine-image.md
+++ b/docs/5.0/installation/packages/gcp-machine-image.md
@@ -22,7 +22,7 @@ search:
[allocate-memory-docs]: ../../admin-en/configuration-guides/allocate-resources-for-node.md
[limiting-request-processing]: ../../user-guides/rules/configure-overlimit-res-detection.md
[logs-docs]: ../../admin-en/configure-logging.md
-[oob-advantages-limitations]: ../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../oob/overview.md#limitations
[wallarm-mode]: ../../admin-en/configure-wallarm-mode.md
[oob-docs]: ../oob/overview.md
[wallarm-api-via-proxy]: ../../admin-en/configuration-guides/access-to-wallarm-api-via-proxy.md
diff --git a/docs/5.0/installation/supported-deployment-options.md b/docs/5.0/installation/supported-deployment-options.md
index 72cb387da..250c27f8d 100644
--- a/docs/5.0/installation/supported-deployment-options.md
+++ b/docs/5.0/installation/supported-deployment-options.md
@@ -474,6 +474,12 @@ Wallarm supports many deployment options enabling you to seamlessly integrate th
Out-of-band deployment on Kubernetes using the eBPF technology
diff --git a/docs/ar/installation/oob/tcp-traffic-mirror/configuration.md b/docs/ar/installation/oob/tcp-traffic-mirror/configuration.md
new file mode 100644
index 000000000..050d98ef3
--- /dev/null
+++ b/docs/ar/installation/oob/tcp-traffic-mirror/configuration.md
@@ -0,0 +1 @@
+--8<-- "latest/installation/oob/tcp-traffic-mirror/configuration.md"
\ No newline at end of file
diff --git a/docs/ar/installation/oob/tcp-traffic-mirror/deployment.md b/docs/ar/installation/oob/tcp-traffic-mirror/deployment.md
new file mode 100644
index 000000000..a65c92e39
--- /dev/null
+++ b/docs/ar/installation/oob/tcp-traffic-mirror/deployment.md
@@ -0,0 +1 @@
+--8<-- "latest/installation/oob/tcp-traffic-mirror/deployment.md"
\ No newline at end of file
diff --git a/docs/ja/installation/oob/tcp-traffic-mirror/configuration.md b/docs/ja/installation/oob/tcp-traffic-mirror/configuration.md
new file mode 100644
index 000000000..050d98ef3
--- /dev/null
+++ b/docs/ja/installation/oob/tcp-traffic-mirror/configuration.md
@@ -0,0 +1 @@
+--8<-- "latest/installation/oob/tcp-traffic-mirror/configuration.md"
\ No newline at end of file
diff --git a/docs/ja/installation/oob/tcp-traffic-mirror/deployment.md b/docs/ja/installation/oob/tcp-traffic-mirror/deployment.md
new file mode 100644
index 000000000..a65c92e39
--- /dev/null
+++ b/docs/ja/installation/oob/tcp-traffic-mirror/deployment.md
@@ -0,0 +1 @@
+--8<-- "latest/installation/oob/tcp-traffic-mirror/deployment.md"
\ No newline at end of file
diff --git a/docs/latest/admin-en/configure-logging.md b/docs/latest/admin-en/configure-logging.md
index 8ec2845e7..213e64299 100644
--- a/docs/latest/admin-en/configure-logging.md
+++ b/docs/latest/admin-en/configure-logging.md
@@ -14,6 +14,7 @@ Log files are located within the `/opt/wallarm/var/log/wallarm` directory. Here
* `appstructure-out.log` (only in the Docker containers): the log of the [API Discovery](../api-discovery/overview.md) module activity.
* `tarantool-out.log`: the log of the postanalytics module operations.
* `wcli-out.log`: logs of most Wallarm services, including brute force detection, attack export to the Cloud, and the status of node synchronization with the Cloud, etc.
+* `go-node.log`: TCP traffic reassembling logs (only for the [TCP traffic mirror analysis deployment](../installation/oob/tcp-traffic-mirror/configuration.md)).
## Configuring Extended Logging for the NGINX‑Based Filter Node
diff --git a/docs/latest/installation/api-gateways/layer7-api-gateway.md b/docs/latest/installation/api-gateways/layer7-api-gateway.md
index aa3a6935f..3bd750a67 100644
--- a/docs/latest/installation/api-gateways/layer7-api-gateway.md
+++ b/docs/latest/installation/api-gateways/layer7-api-gateway.md
@@ -17,7 +17,7 @@ Among all supported [Wallarm deployment options](../supported-deployment-options
## Limitations
-The Layer7 API Gateways integration supports only the out-of-band traffic analysis, be aware that this method has certain limitations, which also apply to the policy. More details can be found at the provided [link](../oob/overview.md#advantages-and-limitations).
+The Layer7 API Gateways integration supports only the out-of-band traffic analysis, be aware that this method has certain limitations, which also apply to the policy. More details can be found at the provided [link](../oob/overview.md#limitations).
## Requirements
diff --git a/docs/latest/installation/cloud-platforms/aws/ami.md b/docs/latest/installation/cloud-platforms/aws/ami.md
index 97f32570f..974022a9c 100644
--- a/docs/latest/installation/cloud-platforms/aws/ami.md
+++ b/docs/latest/installation/cloud-platforms/aws/ami.md
@@ -22,7 +22,7 @@
[allocate-memory-docs]: ../../../admin-en/configuration-guides/allocate-resources-for-node.md
[limiting-request-processing]: ../../../user-guides/rules/configure-overlimit-res-detection.md
[logs-docs]: ../../../admin-en/configure-logging.md
-[oob-advantages-limitations]: ../../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../../oob/overview.md#limitations
[wallarm-mode]: ../../../admin-en/configure-wallarm-mode.md
[inline-docs]: ../../inline/overview.md
[oob-docs]: ../../oob/overview.md
diff --git a/docs/latest/installation/cloud-platforms/gcp/machine-image.md b/docs/latest/installation/cloud-platforms/gcp/machine-image.md
index 1b9ec054b..b2cb0e191 100644
--- a/docs/latest/installation/cloud-platforms/gcp/machine-image.md
+++ b/docs/latest/installation/cloud-platforms/gcp/machine-image.md
@@ -18,7 +18,7 @@
[allocate-memory-docs]: ../../../admin-en/configuration-guides/allocate-resources-for-node.md
[limiting-request-processing]: ../../../user-guides/rules/configure-overlimit-res-detection.md
[logs-docs]: ../../../admin-en/configure-logging.md
-[oob-advantages-limitations]: ../../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../../oob/overview.md#limitations
[wallarm-mode]: ../../../admin-en/configure-wallarm-mode.md
[inline-docs]: ../../inline/overview.md
[oob-docs]: ../../oob/overview.md
diff --git a/docs/latest/installation/nginx/all-in-one.md b/docs/latest/installation/nginx/all-in-one.md
index 5b8cf4a51..43a4f0205 100644
--- a/docs/latest/installation/nginx/all-in-one.md
+++ b/docs/latest/installation/nginx/all-in-one.md
@@ -25,7 +25,7 @@
[platform]: ../supported-deployment-options.md
[inline-docs]: ../inline/overview.md
[oob-docs]: ../oob/overview.md
-[oob-advantages-limitations]: ../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../oob/overview.md#limitations
[web-server-mirroring-examples]: ../oob/web-server-mirroring/overview.md#configuration-examples-for-traffic-mirroring
[img-grouped-nodes]: ../../images/user-guides/nodes/grouped-nodes.png
[wallarm-token-types]: ../../user-guides/nodes/nodes.md#api-and-node-tokens-for-node-creation
diff --git a/docs/latest/installation/oob/ebpf/deployment.md b/docs/latest/installation/oob/ebpf/deployment.md
index a0ebd8594..32a0ad6f1 100644
--- a/docs/latest/installation/oob/ebpf/deployment.md
+++ b/docs/latest/installation/oob/ebpf/deployment.md
@@ -198,12 +198,14 @@ To test that the Wallarm eBPF operates correctly:
## Limitations
-* The solution does not instantly block malicious requests since traffic analysis proceeds irrespective of actual traffic flow.
+* Due to its out-of-band (OOB) operation, which analyzes traffic independently from actual flow, the solution has several inherent limitations:
- Wallarm only observes attacks and provides you with the [details in Wallarm Console](../../..//user-guides/events/analyze-attack.md).
+ * It does not instantly block malicious requests. Wallarm only observes attacks and provides you with the [details in Wallarm Console](../../../user-guides/events/analyze-attack.md).
+ * [Rate limiting](../../../user-guides/rules/rate-limiting.md) is not supported as it is impossible to limit load on target servers.
+ * [Filtering by IP addresses](../../../user-guides/ip-lists/overview.md) is not supported.
* As server response bodies are not mirrored:
- * Vulnerability detection based on [passive detection](../../../about-wallarm/detecting-vulnerabilities.md#passive-detection) is not supported
- * Displaying API endpoint [response structure in API Discovery](../../../api-discovery/exploring.md#endpoint-details) is not supported
+ * Vulnerability detection based on [passive detection](../../../about-wallarm/detecting-vulnerabilities.md#passive-detection) is not supported.
+ * Displaying API endpoint [response structure in API Discovery](../../../api-discovery/exploring.md#endpoint-details) is not supported.
* While the solution is in beta, not all Kubernetes resources can be mirrored effectively. Therefore, we recommend enabling traffic mirroring specifically for NGINX Ingress controllers, Kong Ingress controllers, or regular NGINX servers in Kubernetes.
diff --git a/docs/latest/installation/oob/overview.md b/docs/latest/installation/oob/overview.md
index 312ba6a00..adb3cd861 100644
--- a/docs/latest/installation/oob/overview.md
+++ b/docs/latest/installation/oob/overview.md
@@ -18,29 +18,30 @@ The diagram below provides a visual representation of the general traffic flow i
-## Advantages and limitations
+## Advantages
The OOB approach to the Wallarm deployment offers several advantages over other deployment methods, such as in-line deployments:
* It does not introduce latency or other performance issues that can occur when the security solution operates in-line with the primary data path.
* It provides flexibility and ease of deployment, as the solution can be added or removed from the network without affecting the primary data path.
-Despite the OOB deployment approach safety, it has some limitations:
+## Limitations
-* Wallarm does not instantly block malicious requests since traffic analysis proceeds irrespective of actual traffic flow.
+Despite the OOB deployment approach safety, it has some limitations. The table below details the limitations associated with various deployment options:
- Wallarm only observes attacks and provides you with the [details in Wallarm Console](../..//user-guides/events/analyze-attack.md).
-* Vulnerability discovery using the [passive detection](../../about-wallarm/detecting-vulnerabilities.md#passive-detection) method does not function properly. The solution determines if an API is vulnerable or not based on server responses to malicious requests that are typical for the vulnerabilities it tests.
-* The [Wallarm API Discovery](../../api-discovery/overview.md) does not explore API inventory based on your traffic as server responses required for the module operation are not mirrored.
-
- An exception is the [eBPF](ebpf/deployment.md) solution, which conducts API inventory discovery by analyzing response codes.
-* The [protection against forced browsing](../../admin-en/configuration-guides/protecting-against-bruteforce.md) is not available since it requires response code analysis which is currently not feasible.
-
- An exception is the [eBPF](ebpf/deployment.md) solution, which analyzes response codes, making it suitable for this purpose.
+| Feature | [eBPF](ebpf/deployment.md) | [TCP mirror](tcp-traffic-mirror/deployment.md) | [Web server mirror](web-server-mirroring/overview.md) |
+| --- | --- | --- | --- |
+| Instant blocking of malicious requests | - | - | - |
+| Vulnerability discovery using the [passive detection](../../about-wallarm/detecting-vulnerabilities.md#passive-detection) | - | + | - |
+| [API Discovery](../../api-discovery/overview.md) | + (excludes response structure) | + | - |
+| [Protection against forced browsing](../../admin-en/configuration-guides/protecting-against-bruteforce.md) | + | + | - |
+| [Rate limiting](../../user-guides/rules/rate-limiting.md) | - | - | - |
+| [IP lists](../../user-guides/ip-lists/overview.md) | - | - | - |
## Supported deployment options
Wallarm offers the following Out-of-Band (OOB) deployment options:
-* Many available Wallarm artifacts can be used to [deploy Wallarm for analyzing traffic mirrored by services like NGINX, Envoy, Istio, etc.](web-server-mirroring/overview.md) These services typically offer built-in features for traffic mirroring, and Wallarm artifacts are well-suited for analyzing traffic mirrored by such solutions.
* [eBPF-based solution](ebpf/deployment.md)
+* The solution for [TCP traffic mirror analysis](tcp-traffic-mirror/deployment.md)
+* Many available Wallarm artifacts can be used to [deploy Wallarm for analyzing traffic mirrored by services like NGINX, Envoy, Istio, etc.](web-server-mirroring/overview.md) These services typically offer built-in features for traffic mirroring, and Wallarm artifacts are well-suited for analyzing traffic mirrored by such solutions.
diff --git a/docs/latest/installation/oob/tcp-traffic-mirror/configuration.md b/docs/latest/installation/oob/tcp-traffic-mirror/configuration.md
new file mode 100644
index 000000000..cedaf0255
--- /dev/null
+++ b/docs/latest/installation/oob/tcp-traffic-mirror/configuration.md
@@ -0,0 +1,340 @@
+# Configuring TCP Traffic Mirror Analysis
+
+In the configuration file you create for deploying the Wallarm node for TCP Traffic Mirror analysis (`wallarm-node-conf.yaml` as specified in the [deployment instructions](deployment.md)), you can fine-tune the solution deployed.
+
+## Basic settings
+
+```yaml
+version: 2
+
+mode: tcp-capture
+
+goreplay:
+ filter:
+ extra_args:
+ - -input-raw-engine
+ - vxlan
+
+route_config:
+ wallarm_application: 10
+ routes:
+ - route: /example/api/v1
+ wallarm_mode: off
+ - route: /example/extra_api
+ wallarm_application: 2
+ - route: /example/testing
+ wallarm_mode: off
+
+http_inspector:
+ real_ip_header: "X-Real-IP"
+
+log:
+ pretty: true
+ level: debug
+ log_file: stderr
+```
+
+### mode (required)
+
+The Wallarm node operation mode. Currently, it can be only `tcp-capture`.
+
+### goreplay.filter
+
+Specifies a network interface to capture traffic from. If no value is specified, it captures traffic from all network interfaces on the instance.
+
+Note that the value should be the network interface and port separated by a colon (`:`). Examples of filters include `eth0:`, `eth0:80`, or `:80` (to intercept a specific port on all interfaces), e.g.:
+
+```yaml
+version: 2
+
+goreplay:
+ filter: 'eth0:'
+```
+
+To check network interfaces available on the host, run:
+
+```
+ip addr show
+```
+
+### goreplay.extra_args
+
+This parameter allows you to specify [extra arguments](https://github.com/buger/goreplay/blob/master/docs/Request-filtering.md) to be passed to GoReplay.
+
+Typically, you will use it to define the types of mirrored traffic requiring analysis, such as VLAN, VXLAN. For example:
+
+* For VLAN-wrapped mirrored traffic, provide the following:
+
+ ```yaml
+ version: 2
+
+ goreplay:
+ extra_args:
+ - -input-raw-vlan
+ - -input-raw-vlan-vid
+ # VID of your VLAN, e.g.:
+ # - 42
+ ```
+
+* For VXLAN-wrapped mirrored traffic (e.g. for AWS traffic mirroring), provide the following:
+
+ ```yaml
+ version: 2
+
+ goreplay:
+ extra_args:
+ - -input-raw-engine
+ - vxlan
+ # Custom VXLAN UDP port, e.g.:
+ # - -input-raw-vxlan-port
+ # - 4789
+ # Specific VNI (by default, all VNIs are captured), e.g.:
+ # - -input-raw-vxlan-vni
+ # - 1
+ ```
+
+* If the mirrored traffic is not wrapped in additional protocols like VLAN or VXLAN, you can omit the `extra_args` configuration. Unencapsulated traffic is parsed by default.
+
+### route_config
+
+Configuration section where you specify settings for specific routes.
+
+### route_config.wallarm_application
+
+[Wallarm application ID](../../../user-guides/settings/applications.md). This value can be overridden for specific routes.
+
+### route_config.routes
+
+Sets route-specific Wallarm configuration. Includes Wallarm mode and application IDs. Example configuration:
+
+```yaml
+version: 2
+
+route_config:
+ wallarm_application: 10
+ routes:
+ - host: example.com
+ wallarm_application: 1
+ routes:
+ - route: /app2
+ wallarm_application: 2
+ - host: api.example.com
+ route: /api
+ wallarm_application: 100
+ - route: /testing
+ wallarm_mode: off
+```
+
+#### host
+
+Specifies the route host.
+
+#### routes.route or route
+
+Defines specific routes. Routes can be configured with NGINX-like prefixes:
+
+```yaml
+- route: [ = | ~ | ~* | ^~ | ]/location
+ | | | | ^ prefix (lower priority than regexes)
+ | | | ^ prefix (higher priority than regexes)
+ | | ^re case insensitive
+ | ^re case sensitive
+ ^exact match
+```
+
+For example, to match only the exact route:
+
+```yaml
+- route: =/api/login
+```
+
+To match routes with a regular expression:
+
+```yaml
+- route: ~/user/[0-9]+/login.*
+```
+
+#### wallarm_application
+
+Sets the [Wallarm application ID](../../../user-guides/settings/applications.md). Overrides the `route_config.wallarm_application` for specific endpoints.
+
+#### wallarm_mode
+
+Traffic [filtration mode](../../../admin-en/configure-wallarm-mode.md): `monitoring` or `off`. In OOB mode, traffic blocking is not supported.
+
+Default: `monitoring`.
+
+### http_inspector.real_ip_header
+
+By default, Wallarm reads the source IP address from the network packet's IP headers. However, proxies and load balancers can change this to their own IPs.
+
+To preserve the real client IP, these intermediaries often add an HTTP header (e.g., `X-Real-IP`, `X-Forwarded-For`). The `real_ip_header` parameter tells Wallarm which header to use to extract the original client IP.
+
+### log.pretty
+
+Controls the log format. Set to `true` for human-readable logs, or `false` for JSON logs.
+
+Default: `true`.
+
+### log.level
+
+Log level, can be `debug`, `info`, `warn`, `error`, `fatal`.
+
+Default: `info`.
+
+### log.log_file
+
+Specifies the destination for log output. Options are `stdout`, `stderr`, or a path to a log file.
+
+Default: `stderr`. However, the node redirects `stderr` to the file `/opt/wallarm/var/log/wallarm/go-node.log`.
+
+## Advanced settings
+
+```yaml
+version: 2
+
+goreplay:
+ path: /opt/wallarm/usr/bin/gor
+
+middleware:
+ parse_responses: true
+ response_timeout: 5s
+
+http_inspector:
+ workers: auto
+ libdetection_enabled: true
+ api_firewall_enabled: true
+ api_firewall_database: /opt/wallarm/var/lib/wallarm-api/2/wallarm_api.db
+ wallarm_dir: /opt/wallarm/etc/wallarm
+ shm_dir: /tmp
+
+tarantool_exporter:
+ address: 127.0.0.1:3313
+ enabled: true
+
+log:
+ proton_log_mask: info@*
+
+metrics:
+ enabled: true
+ listen_address: :9000
+ legacy_status:
+ enabled: true
+ listen_address: 127.0.0.8:80
+
+health_check:
+ enabled: true
+ listen_address: :8080
+```
+
+### goreplay.path
+
+The path to the GoReplay binary file. Typically, you do not need to modify this parameter.
+
+Default: `/opt/wallarm/usr/bin/gor`.
+
+### middleware.parse_responses
+
+Controls whether to parse mirrored responses. This enables Wallarm features that rely on response data, such as [vulnerability detection](../../../about-wallarm/detecting-vulnerabilities.md) and [API discovery](../../../api-discovery/overview.md).
+
+By default, `true`.
+
+Ensure response mirroring is configured in your environment to the target instance with the Wallarm node.
+
+### middleware.response_timeout
+
+Specifies the maximum time to wait for a response. If a response is not received within this time, the Wallarm processes stop waiting the corresponding response.
+
+Default: `5s`.
+
+### http_inspector.workers
+
+Wallarm worker number.
+
+Default: `auto`, which means the number of workers is set to the number of CPU cores.
+
+### http_inspector.libdetection_enabled
+
+Whether to additionally validate the SQL Injection attacks using the [libdetection](../../../about-wallarm/protecting-against-attacks.md#libdetection-overview) library.
+
+Default: `true`.
+
+### http_inspector.api_firewall_enabled
+
+Controls whether [API Specification Enforcement](../../../api-specification-enforcement/overview.md) is enabled. Please note that activating this feature does not substitute for the required subscription and configuration through the Wallarm Console UI.
+
+Default: `true`.
+
+### http_inspector.api_firewall_database
+
+Specifies the path to the database containing the API specifications you have uploaded for [API Specification Enforcement](../../../api-specification-enforcement/overview.md). This database synchronizes with the Wallarm Cloud.
+
+Typically, you do not need to modify this parameter.
+
+Default: `/opt/wallarm/var/lib/wallarm-api/2/wallarm_api.db`.
+
+### http_inspector.wallarm_dir
+
+Specifies the directory path for node configuration files. Typically, you do not need to modify this parameter. If you need assistance, please contact the [Wallarm support team](mailto:support@wallarm.com).
+
+Default: `/opt/wallarm/etc/wallarm`.
+
+### http_inspector.shm_dir
+
+HTTP analyzer shared directory. Typically, you do not need to modify this parameter.
+
+Default: `/tmp`.
+
+### tarantool_exporter.address
+
+Sets the address for the postanalytics service which handles statistical request analysis in Wallarm's request processing. Typically, you do not need to modify this parameter.
+
+Default: `127.0.0.1:3313`.
+
+### tarantool_exporter.enabled
+
+Controls whether the postanalytics service is enabled. This parameter must be set to `true` as the Wallarm node does not function without the postanalytics service.
+
+Default: `true`.
+
+### log.proton_log_mask
+
+The mask for internal traffic logging. Typically, you do not need to modify this parameter.
+
+Default: `info@*`.
+
+### metrics.enabled
+
+Controls whether [Prometheus metrics](../../../admin-en/configure-statistics-service.md#working-with-the-statistics-service) are enabled. This parameter must be set to `true` as the Wallarm node does not function properly without it.
+
+Default: `true`.
+
+### metrics.listen_address
+
+Sets the address and port where Prometheus metrics will be exposed. To access these metrics, use the `/metrics` endpoint.
+
+Default: `:9000` (all network interfaces on the port 9000).
+
+### metrics.legacy_status.enabled
+
+Controls whether the [`/wallarm-status`](../../../admin-en/configure-statistics-service.md#working-with-the-statistics-service) metrics service is enabled. This parameter must be set to `true` as the Wallarm node does not function properly without it.
+
+Default: `true`.
+
+### metrics.legacy_status.listen_address
+
+Sets the address and port where `/wallarm-status` metrics in JSON format will be exposed. To access these metrics, use the `/wallarm-status` endpoint.
+
+Default: `127.0.0.8:80`.
+
+### health_check.enabled
+
+Controls whether health check endpoints are enabled.
+
+Default: `true`.
+
+### health_check.listen_address
+
+Sets the address and port for the `/live` and `/ready` health check endpoints.
+
+Default: `:8080` (all network interfaces on the port 8080).
diff --git a/docs/latest/installation/oob/tcp-traffic-mirror/deployment.md b/docs/latest/installation/oob/tcp-traffic-mirror/deployment.md
new file mode 100644
index 000000000..9c3c2cb03
--- /dev/null
+++ b/docs/latest/installation/oob/tcp-traffic-mirror/deployment.md
@@ -0,0 +1,293 @@
+# Deploying the Node for TCP Traffic Mirror Analysis
+
+Wallarm provides an artifact for deploying its filtering node, specifically designed for TCP traffic mirror analysis. This guide explains how to deploy and configure the Wallarm filtering node in this form-factor.
+
+## Use cases
+
+Among all supported [out-of-band deployment options](../../supported-deployment-options.md#out-of-band), this solution is recommended for the following scenarios:
+
+* You prefer to capture TCP traffic mirrored at the network layer and require a security solution to analyze this specific traffic.
+* NGINX or Envoy-based deployment artifacts are unavailable, too slow, or consume too many resources. In this case, implementing HTTP traffic mirror analysis can be resource-intensive. The TCP traffic mirror analysis runs independently from web servers, avoiding these issues.
+* You require a security solution that also parses responses, enabling features like [vulnerability detection](../../../about-wallarm/detecting-vulnerabilities.md) and [API discovery](../../../api-discovery/overview.md), which rely on response data.
+
+## How does it work
+
+This solution operates in out-of-band (OOB) mode, capturing mirrored TCP traffic directly from the network interface, independent of web servers like NGINX. The captured traffic is then parsed, reassembled, and analyzed for threats.
+
+It functions as a mirror target, seamlessly switching between multiple traffic sources. The solution supports traffic tagged with VLAN (802.1q), VXLAN, or SPAN.
+
+Additionally, the solution enables response mirror parsing, providing Wallarm features that rely on response data. These features include [vulnerability detection](../../../about-wallarm/detecting-vulnerabilities.md), [API discovery](../../../api-discovery/overview.md) and more.
+
+
+
+## Requirements
+
+* Access to the account with the **Administrator** role in Wallarm Console for the [US Cloud](https://us1.my.wallarm.com/) or [EU Cloud](https://my.wallarm.com/).
+* The machine intended for running the node must meet the following criteria:
+
+ * Linux OS
+ * x86_64/ARM64 architecture
+ * Executing all commands as a superuser (e.g. `root`).
+ * Allowed outgoing connections to `https://meganode.wallarm.com` to download the Wallarm installer
+ * Allowed outgoing connections to `https://us1.api.wallarm.com` for working with US Wallarm Cloud or to `https://api.wallarm.com` for working with EU Wallarm Cloud
+ * Allowed outgoing connections to the IP addresses below for downloading updates to attack detection rules and [API specifications](../../../api-specification-enforcement/overview.md), as well as retrieving precise IPs for your [allowlisted, denylisted, or graylisted](../../../user-guides/ip-lists/overview.md) countries, regions, or data centers
+
+ === "US Cloud"
+ ```
+ 34.96.64.17
+ 34.110.183.149
+ ```
+ === "EU Cloud"
+ ```
+ 34.160.38.183
+ 34.144.227.90
+ ```
+* Traffic and response mirroring must be configured with both source and target set up, and the prepared instance chosen as a mirror target. Specific environment requirements must be met, such as allowing specific protocols for traffic mirroring configurations.
+* Mirrored traffic is tagged with either VLAN (802.1q), VXLAN, or SPAN.
+
+## Step 1: Prepare Wallarm token
+
+To install node, you will need a token for registering the node in the Wallarm Cloud. To prepare a token:
+
+1. Open Wallarm Console → **Settings** → **API tokens** in the [US Cloud](https://us1.my.wallarm.com/settings/api-tokens) or [EU Cloud](https://my.wallarm.com/settings/api-tokens).
+1. Find or create API token with the `Deploy` source role.
+1. Copy this token.
+
+## Step 2: Download Wallarm installer
+
+Wallarm suggests installations for the following processors:
+
+* x86_64
+* ARM64
+
+To download Wallarm installation script and make it executable, use the following commands:
+
+=== "x86_64 version"
+ ```bash
+ curl -O https://meganode.wallarm.com/next/aionext-0.4.0.x86_64.sh
+ chmod +x aionext-0.4.0.x86_64.sh
+ ```
+=== "ARM64 version"
+ ```bash
+ curl -O https://meganode.wallarm.com/next/aionext-0.4.0.aarch64.sh
+ chmod +x aionext-0.4.0.aarch64.sh
+ ```
+
+## Step 3: Prepare the configurarion file
+
+Create the `wallarm-node-conf.yaml` file on the instance. The solution requires proper configuration to identify the network interface and the traffic format (e.g., VLAN, VXLAN). The example content of the file:
+
+```yaml
+version: 2
+
+mode: tcp-capture
+
+goreplay:
+ filter: 'enp7s0:'
+ extra_args:
+ - -input-raw-engine
+ - vxlan
+```
+
+In the [article](configuration.md), you will find the list of more supported configuration parameters.
+
+### Setting the mode (required)
+
+It is required to specify the `tcp-capture` mode in the corresponding parameter to run the solution for the TCP traffic mirror analysis.
+
+### Choosing a network interface for listening
+
+To specify the network interface to capture traffic from:
+
+1. Check network interfaces available on the host:
+
+ ```
+ ip addr show
+ ```
+
+1. Specify the network interface in the `filter` parameter.
+
+ Note that the value should be the network interface and port separated by a colon (`:`). Examples of filters include `eth0:`, `eth0:80`, or `:80` (to intercept a specific port on all interfaces), e.g.:
+
+ ```yaml
+ version: 2
+
+ mode: tcp-capture
+
+ goreplay:
+ filter: 'eth0:'
+ ```
+
+### Capturing VLAN
+
+If mirrored traffic is wrapped in VLAN, provide additional arguments:
+
+```yaml
+version: 2
+
+mode: tcp-capture
+
+goreplay:
+ filter:
+ extra_args:
+ - -input-raw-vlan
+ - -input-raw-vlan-vid
+ # VID of your VLAN, e.g.:
+ # - 42
+```
+
+### Capturing VXLAN
+
+If mirrored traffic is wrapped in VXLAN (common in AWS), provide additional arguments:
+
+```yaml
+version: 2
+
+mode: tcp-capture
+
+goreplay:
+ filter:
+ extra_args:
+ - -input-raw-engine
+ - vxlan
+ # Custom VXLAN UDP port, e.g.:
+ # - -input-raw-vxlan-port
+ # - 4789
+ # Specific VNI (by default, all VNIs are captured), e.g.:
+ # - -input-raw-vxlan-vni
+ # - 1
+```
+
+### Identifying the original client IP address
+
+By default, Wallarm reads the source IP address from the network packet's IP headers. However, proxies and load balancers can change this to their own IPs.
+
+To preserve the real client IP, these intermediaries often add an HTTP header (e.g., `X-Real-IP`, `X-Forwarded-For`). The `real_ip_header` parameter tells Wallarm which header to use to extract the original client IP, e.g.:
+
+```yaml
+version: 2
+
+mode: tcp-capture
+
+http_inspector:
+ real_ip_header: "X-Real-IP"
+```
+
+## Step 4: Run the Wallarm installer
+
+To install the Wallarm node for TCP traffic mirror analysis, run the following command:
+
+=== "x86_64 version"
+ ```bash
+ # US Cloud
+ sudo env WALLARM_LABELS='group=' ./aionext-0.4.0.x86_64.sh -- --batch --token --mode=tcp-capture --go-node-config= --host us1.api.wallarm.com
+
+ # EU Cloud
+ sudo env WALLARM_LABELS='group=' ./aionext-0.4.0.x86_64.sh -- --batch --token --mode=tcp-capture --go-node-config= --host api.wallarm.com
+ ```
+=== "ARM64 version"
+ ```bash
+ # US Cloud
+ sudo env WALLARM_LABELS='group=' ./aionext-0.4.0.aarch64.sh -- --batch --token --mode=tcp-capture --go-node-config= --host us1.api.wallarm.com
+
+ # EU Cloud
+ sudo env WALLARM_LABELS='group=' ./aionext-0.4.0.aarch64.sh -- --batch --token --mode=tcp-capture --go-node-config= --host api.wallarm.com
+ ```
+
+* The `WALLARM_LABELS` variable sets group into which the node will be added (used for logical grouping of nodes in the Wallarm Console UI).
+* `` specifies the generated API token for the `Deploy` role.
+* `` specifies the path to the configuration file prepared before.
+
+The provided configuration file will be copied to the path: `/opt/wallarm/etc/wallarm/go-node.yaml`.
+
+If needed, you can change the copied file after the installation is finished. To apply the changes, you will need to restart the Wallarm service with `sudo systemctl restart wallarm`.
+
+## Step 5: Test the solution
+
+Send the test [Path Traversal](../../../attacks-vulns-list.md#path-traversal) attack to the mirror source address by replacing `` with the actual IP address or DNS name of the instance:
+
+```
+curl http:///etc/passwd
+```
+
+Since the Wallarm solution for TCP traffic mirror analysis operates out-of-band, it does not block attacks but only registers them.
+
+To check that the attack has been registered, proceed to Wallarm Console → **Events**:
+
+
+
+## Debugging
+
+* To check if there is traffic on the network interface you are trying to capture from, run the following command on your machine:
+
+ ```
+ sudo tcpdump -i
+ ```
+* To verify if the filtering node detects traffic:
+
+ Set the log level in `/opt/wallarm/etc/wallarm/go-node.yaml` to `debug` as follows:
+
+ ```yaml
+ log:
+ level: debug
+ ```
+
+ Restart the Wallarm service:
+
+ ```
+ sudo systemctl restart wallarm
+ ```
+
+ Logs are written to `/opt/wallarm/var/log/wallarm/go-node.log` by default. You can read them there.
+* Standard logs of the filtering node such as whether the data is sent to the Wallarm Cloud, detected attacks, etc. are located in the directory `/opt/wallarm/var/log/wallarm`.
+
+## Installer launch options
+
+* As soon as you have the all-in one script downloaded, you can get **help** on it with:
+
+ === "x86_64 version"
+ ```
+ sudo ./aionext-0.4.0.x86_64.sh -- --help
+ ```
+ === "ARM64 version"
+ ```
+ sudo ./aionext-0.4.0.aarch64.sh -- --help
+ ```
+* You can also run the installer in an **interactive** mode and choose the `tcp-capture` mode in the 1st step:
+
+ === "x86_64 version"
+ ```
+ sudo ./aionext-0.4.0.x86_64.sh
+ ```
+ === "ARM64 version"
+ ```
+ sudo ./aionext-0.4.0.aarch64.sh
+ ```
+
+## Upgrade and reinstallation
+
+To upgrade or reinstall the node:
+
+1. Get the [installer version](../../../updating-migrating/node-artifact-versions.md#wallarm-node-for-tcp-traffic-mirror-analysis) you need.
+1. Run the new installer script as described above, but change the script version.
+
+Your current `/opt/wallarm/etc/wallarm/go-node.yaml`, `/opt/wallarm/etc/wallarm/node.yaml` and log files will be backed up to the directory `/opt/wallarm/aio-backups/`.
+
+If there is a problem with the upgrade or reinstallation process:
+
+1. Remove the current installation:
+
+ ```
+ sudo systemctl stop wallarm && sudo rm -rf /opt/wallarm
+ ```
+1. Install the node as usual following the installation steps from above.
+
+## Limitations
+
+* Due to its out-of-band (OOB) operation, which analyzes traffic independently from actual flow, the solution has several inherent limitations:
+
+ * It does not instantly block malicious requests. Wallarm only observes attacks and provides you with the [details in Wallarm Console](../../../user-guides/events/analyze-attack.md).
+ * [Rate limiting](../../../user-guides/rules/rate-limiting.md) is not supported as it is impossible to limit load on target servers.
+ * [Filtering by IP addresses](../../../user-guides/ip-lists/overview.md) is not supported.
+* Traffic decryption is not supported. The solution only analyzes raw TCP traffic.
+* The solution does not support parsing responses over HTTP keep-alive connections yet.
diff --git a/docs/latest/installation/oob/web-server-mirroring/aws-ami.md b/docs/latest/installation/oob/web-server-mirroring/aws-ami.md
index b2d034a9b..7bcb98700 100644
--- a/docs/latest/installation/oob/web-server-mirroring/aws-ami.md
+++ b/docs/latest/installation/oob/web-server-mirroring/aws-ami.md
@@ -22,7 +22,7 @@
[allocate-memory-docs]: ../../../admin-en/configuration-guides/allocate-resources-for-node.md
[limiting-request-processing]: ../../../user-guides/rules/configure-overlimit-res-detection.md
[logs-docs]: ../../../admin-en/configure-logging.md
-[oob-advantages-limitations]: ../overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../overview.md#limitations
[wallarm-mode]: ../../../admin-en/configure-wallarm-mode.md
[wallarm-api-via-proxy]: ../../../admin-en/configuration-guides/access-to-wallarm-api-via-proxy.md
[img-grouped-nodes]: ../../../images/user-guides/nodes/grouped-nodes.png
diff --git a/docs/latest/installation/oob/web-server-mirroring/docker-image.md b/docs/latest/installation/oob/web-server-mirroring/docker-image.md
index 4e292a54d..552b4c270 100644
--- a/docs/latest/installation/oob/web-server-mirroring/docker-image.md
+++ b/docs/latest/installation/oob/web-server-mirroring/docker-image.md
@@ -18,7 +18,7 @@
[api-token]: ../../../user-guides/settings/api-tokens.md
[wallarm-token-types]: ../../../user-guides/nodes/nodes.md#api-and-node-tokens-for-node-creation
[platform]: ../../supported-deployment-options.md
-[oob-advantages-limitations]: ../overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../overview.md#limitations
[web-server-mirroring-examples]: overview.md#configuration-examples-for-traffic-mirroring
[memory-instr]: ../../../admin-en/configuration-guides/allocate-resources-for-node.md
[ip-lists-docs]: ../../../user-guides/ip-lists/overview.md
diff --git a/docs/latest/installation/oob/web-server-mirroring/gcp-machine-image.md b/docs/latest/installation/oob/web-server-mirroring/gcp-machine-image.md
index 9de4093c8..741761c77 100644
--- a/docs/latest/installation/oob/web-server-mirroring/gcp-machine-image.md
+++ b/docs/latest/installation/oob/web-server-mirroring/gcp-machine-image.md
@@ -17,7 +17,7 @@
[allocate-memory-docs]: ../../../admin-en/configuration-guides/allocate-resources-for-node.md
[limiting-request-processing]: ../../../user-guides/rules/configure-overlimit-res-detection.md
[logs-docs]: ../../../admin-en/configure-logging.md
-[oob-advantages-limitations]: ../overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../overview.md#limitations
[wallarm-mode]: ../../../admin-en/configure-wallarm-mode.md
[wallarm-api-via-proxy]: ../../../admin-en/configuration-guides/access-to-wallarm-api-via-proxy.md
[img-grouped-nodes]: ../../../images/user-guides/nodes/grouped-nodes.png
diff --git a/docs/latest/installation/oob/web-server-mirroring/linux/all-in-one.md b/docs/latest/installation/oob/web-server-mirroring/linux/all-in-one.md
index edae47f5c..e01c55433 100644
--- a/docs/latest/installation/oob/web-server-mirroring/linux/all-in-one.md
+++ b/docs/latest/installation/oob/web-server-mirroring/linux/all-in-one.md
@@ -31,7 +31,7 @@ search:
[img-grouped-nodes]: ../../../../images/user-guides/nodes/grouped-nodes.png
[wallarm-token-types]: ../../../../user-guides/nodes/nodes.md#api-and-node-tokens-for-node-creation
[ip-lists-docs]: ../../../../user-guides/ip-lists/overview.md
-[oob-advantages-limitations]: ../../../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../../../oob/overview.md#limitations
[web-server-mirroring-examples]: ../../../oob/web-server-mirroring/overview.md#configuration-examples-for-traffic-mirroring
[download-aio-step]: #step-3-download-all-in-one-wallarm-installer
[enable-traffic-analysis-step]: #step-5-enable-wallarm-node-to-analyze-traffic
diff --git a/docs/latest/installation/packages/aws-ami.md b/docs/latest/installation/packages/aws-ami.md
index 9233ba5c5..953673a6b 100644
--- a/docs/latest/installation/packages/aws-ami.md
+++ b/docs/latest/installation/packages/aws-ami.md
@@ -22,7 +22,7 @@
[allocate-memory-docs]: ../../admin-en/configuration-guides/allocate-resources-for-node.md
[limiting-request-processing]: ../../user-guides/rules/configure-overlimit-res-detection.md
[logs-docs]: ../../admin-en/configure-logging.md
-[oob-advantages-limitations]: ../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../oob/overview.md#limitations
[wallarm-mode]: ../../admin-en/configure-wallarm-mode.md
[inline-docs]: ../inline/overview.md
[oob-docs]: ../oob/overview.md
diff --git a/docs/latest/installation/packages/gcp-machine-image.md b/docs/latest/installation/packages/gcp-machine-image.md
index 76ee6cd5f..2e117c2f9 100644
--- a/docs/latest/installation/packages/gcp-machine-image.md
+++ b/docs/latest/installation/packages/gcp-machine-image.md
@@ -17,7 +17,7 @@
[allocate-memory-docs]: ../../admin-en/configuration-guides/allocate-resources-for-node.md
[limiting-request-processing]: ../../user-guides/rules/configure-overlimit-res-detection.md
[logs-docs]: ../../admin-en/configure-logging.md
-[oob-advantages-limitations]: ../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]: ../oob/overview.md#limitations
[wallarm-mode]: ../../admin-en/configure-wallarm-mode.md
[inline-docs]: ../inline/overview.md
[oob-docs]: ../oob/overview.md
diff --git a/docs/latest/updating-migrating/node-artifact-versions.md b/docs/latest/updating-migrating/node-artifact-versions.md
index f032abd67..c992a9593 100644
--- a/docs/latest/updating-migrating/node-artifact-versions.md
+++ b/docs/latest/updating-migrating/node-artifact-versions.md
@@ -58,6 +58,12 @@ History of all-in-one installer updates simultaneously applies to it's x86_64 an
* [Initial release](../installation/oob/ebpf/deployment.md) -->
+## Wallarm node for TCP traffic mirror analysis
+
+### 0.4.0 (2024-08-22)
+
+* [Initial release](../installation/oob/tcp-traffic-mirror/deployment.md)
+
## NGINX-based Docker image
[How to upgrade](docker-container.md)
diff --git a/docs/latest/updating-migrating/what-is-new.md b/docs/latest/updating-migrating/what-is-new.md
index b218c5ff1..e8ddafb21 100644
--- a/docs/latest/updating-migrating/what-is-new.md
+++ b/docs/latest/updating-migrating/what-is-new.md
@@ -24,6 +24,12 @@ The following changes have been introduced in the file system of the Wallarm dep
Starting with release 5.2, new features will be introduced exclusively in the node with the new Go-based implementation. Per our [versioning policy](node-artifact-versions.md), these new features will not be backported to the previous version (4.10).
+## New deployment option for TCP traffic mirror analysis
+
+With the launch of release 5.0, Wallarm introduces an artifact specifically designed for TCP traffic mirror analysis. This new deployment option, based on our advanced re-engineered node, enhances your ability to monitor and secure TCP traffic directly at the network layer.
+
+[Deployment instructions](../installation/oob/tcp-traffic-mirror/deployment.md)
+
## Which Wallarm nodes are recommended to be upgraded?
* Client and multi-tenant Wallarm nodes of version 4.8 and 4.10 to stay up to date with Wallarm releases and prevent [installed module deprecation](versioning-policy.md#version-support).
diff --git a/docs/pt-BR/installation/oob/tcp-traffic-mirror/configuration.md b/docs/pt-BR/installation/oob/tcp-traffic-mirror/configuration.md
new file mode 100644
index 000000000..050d98ef3
--- /dev/null
+++ b/docs/pt-BR/installation/oob/tcp-traffic-mirror/configuration.md
@@ -0,0 +1 @@
+--8<-- "latest/installation/oob/tcp-traffic-mirror/configuration.md"
\ No newline at end of file
diff --git a/docs/pt-BR/installation/oob/tcp-traffic-mirror/deployment.md b/docs/pt-BR/installation/oob/tcp-traffic-mirror/deployment.md
new file mode 100644
index 000000000..a65c92e39
--- /dev/null
+++ b/docs/pt-BR/installation/oob/tcp-traffic-mirror/deployment.md
@@ -0,0 +1 @@
+--8<-- "latest/installation/oob/tcp-traffic-mirror/deployment.md"
\ No newline at end of file
diff --git a/docs/tr/installation/oob/tcp-traffic-mirror/configuration.md b/docs/tr/installation/oob/tcp-traffic-mirror/configuration.md
new file mode 100644
index 000000000..050d98ef3
--- /dev/null
+++ b/docs/tr/installation/oob/tcp-traffic-mirror/configuration.md
@@ -0,0 +1 @@
+--8<-- "latest/installation/oob/tcp-traffic-mirror/configuration.md"
\ No newline at end of file
diff --git a/docs/tr/installation/oob/tcp-traffic-mirror/deployment.md b/docs/tr/installation/oob/tcp-traffic-mirror/deployment.md
new file mode 100644
index 000000000..a65c92e39
--- /dev/null
+++ b/docs/tr/installation/oob/tcp-traffic-mirror/deployment.md
@@ -0,0 +1 @@
+--8<-- "latest/installation/oob/tcp-traffic-mirror/deployment.md"
\ No newline at end of file
diff --git a/images/platform-icons/tcp-mirror-analysis.svg b/images/platform-icons/tcp-mirror-analysis.svg
new file mode 100644
index 000000000..215a64d43
--- /dev/null
+++ b/images/platform-icons/tcp-mirror-analysis.svg
@@ -0,0 +1,21 @@
+
diff --git a/images/waf-installation/oob/tcp-mirror-analysis.png b/images/waf-installation/oob/tcp-mirror-analysis.png
new file mode 100644
index 000000000..3331b9a54
Binary files /dev/null and b/images/waf-installation/oob/tcp-mirror-analysis.png differ
diff --git a/mkdocs-5.0.yml b/mkdocs-5.0.yml
index 5428a6209..15b069be5 100644
--- a/mkdocs-5.0.yml
+++ b/mkdocs-5.0.yml
@@ -236,6 +236,9 @@ nav:
- Deploy: installation/kubernetes/ebpf/deployment.md
- Helm Chart Values: installation/kubernetes/ebpf/helm-chart-for-wallarm.md
- Selecting Packets for Mirroring: installation/kubernetes/ebpf/selecting-packets.md
+ - TCP Traffic Mirror Analysis:
+ - Deploy: installation/oob/tcp-traffic-mirror/deployment.md
+ - Configure: installation/oob/tcp-traffic-mirror/configuration.md
- Public Clouds:
- Amazon Web Services:
- AMI: installation/cloud-platforms/aws/ami.md
diff --git a/mkdocs-ar-4.10.yml b/mkdocs-ar-4.10.yml
index 61a352672..d874aa08f 100644
--- a/mkdocs-ar-4.10.yml
+++ b/mkdocs-ar-4.10.yml
@@ -259,6 +259,9 @@ nav:
- نصب: installation/oob/ebpf/deployment.md
- قيم Helm Chart: installation/oob/ebpf/helm-chart-for-wallarm.md
- تحديد الحزم للتطابق: installation/oob/ebpf/selecting-packets.md
+ - تحليل مرآة حركة المرور TCP:
+ - نشر: installation/oob/tcp-traffic-mirror/deployment.md
+ - تكوين: installation/oob/tcp-traffic-mirror/configuration.md
- المرآة بواسطة NGINX, Envoy ومماثلة:
- نظرة عامة: installation/oob/web-server-mirroring/overview.md
- الغيوم العامة:
diff --git a/mkdocs-ja-4.8.yml b/mkdocs-ja-4.8.yml
index 93c9fa7da..05d3cf3da 100644
--- a/mkdocs-ja-4.8.yml
+++ b/mkdocs-ja-4.8.yml
@@ -231,6 +231,9 @@ nav:
- 展開: installation/oob/ebpf/deployment.md
- Helm Chart Values: installation/oob/ebpf/helm-chart-for-wallarm.md
- ミラーリング対象のパケットの選択: installation/oob/ebpf/selecting-packets.md
+ - TCPトラフィックミラー分析:
+ - 展開: installation/oob/tcp-traffic-mirror/deployment.md
+ - 設定: installation/oob/tcp-traffic-mirror/configuration.md
- NGINX, Envoy, and Similarsによるミラーリング:
- 概要: installation/oob/web-server-mirroring/overview.md
- 公開クラウド:
diff --git a/mkdocs-pt-BR-4.8.yml b/mkdocs-pt-BR-4.8.yml
index 7644dd336..774ce3bea 100644
--- a/mkdocs-pt-BR-4.8.yml
+++ b/mkdocs-pt-BR-4.8.yml
@@ -241,6 +241,9 @@ nav:
- Implantação: installation/oob/ebpf/deployment.md
- Valores do Helm Chart: installation/oob/ebpf/helm-chart-for-wallarm.md
- Selecionando Pacotes para Espelhamento: installation/oob/ebpf/selecting-packets.md
+ - Análise de Espelhamento de Tráfego TCP:
+ - Implantar: installation/oob/tcp-traffic-mirror/deployment.md
+ - Configurar: installation/oob/tcp-traffic-mirror/configuration.md
- Espelhamento por NGINX, Envoy e Similares:
- Visão Geral: installation/oob/web-server-mirroring/overview.md
- Nuvens Públicas:
diff --git a/mkdocs-tr-4.8.yml b/mkdocs-tr-4.8.yml
index b05125260..6befb8c4b 100644
--- a/mkdocs-tr-4.8.yml
+++ b/mkdocs-tr-4.8.yml
@@ -238,6 +238,9 @@ nav:
- Dağıtım: installation/oob/ebpf/deployment.md
- Helm Chart Değerleri: installation/oob/ebpf/helm-chart-for-wallarm.md
- Yansıtma için Paket Seçimi: installation/oob/ebpf/selecting-packets.md
+ - TCP Trafik Aynası Analizi:
+ - Dağıt: installation/oob/tcp-traffic-mirror/deployment.md
+ - Yapılandır: installation/oob/tcp-traffic-mirror/configuration.md
- Band Dışı:
- Genel Bakış: installation/oob/overview.md
- NGINX, Envoy ve Benzeri ile Aynılaştırma:
+ 