The StackPath Web Application Firewall (WAF) supports three modes of operation, Active, Monitor, and Off. Each will allow the WAF to perform different functions.
This article will explain the usage of the Monitor mode and show how to enable it.
Please make sure you have already created and properly integrated a website with the WAF, or with the CDN and WAF together.
What is Monitor Mode for?
Monitor mode is not intended to be turned on permanently. It should be used as a temporary testing method to determine and adjust the WAF's behavior before turning on the WAF.
When the StackPath WAF is in Monitor mode, the WAF logs any incoming requests might be blocked, but it does not issue any actions on them. This allows for testing for potential blocking behavior without impacting (also known as sanctioning) any users.
What Happens in Monitor Mode?
This process allows requests through but creates a Security Event if the request would otherwise receive a sanction. This allows you to see what would have happened and investigate why it would have happened if the WAF were active.
For example, a basic cURL request without any header modification flags triggers the "Invalid User Agent Prevention" Policy, if enabled, and receives a 403 status code:
curl -I https://c8k3p3x4.stackpathcdn.com HTTP/2 403 date: Mon, 25 Mar 2019 20:38:48 GMT
When the WAF is in Monitor mode, the WAF responds with a 200 status code, but still generates the Security Event:
curl -I https://c8k3p3x4.stackpathcdn.com HTTP/2 200 date: Mon, 25 Mar 2019 20:40:37 GMT
Please Note: The WAF does not actually initiate any events to end users, so certain Policy triggers that rely on human input (JS Validation or Captcha) will display significantly more blocked request in Monitor mode than when the WAF is active.
Implementing WAF Monitor Mode
To enable monitor mode for a WAF site, please follow these steps.
- Log in to StackPath
- Select the WAF site
- Set the WAF Status to Monitor
- Confirm "Monitor Mode" is shown on the WAF Usage Chart