You can use this document to learn about the monitor mode, as well as enable the mode on the StackPath WAF.
There are three WAF modes:
You can use the monitor mode to temporarily test the WAF's behavior so that you can adjust the WAF before you fully activate the WAF.
With the exception of protection against Application Layer DDoS Attacks, while in the monitor mode, the WAF does not perform any action against requests. Instead, the WAF creates a security event to log requests that would have been blocked or sanctioned under the active mode.
- To learn more about the WAF's protection against Application Layer DDoS Attacks, see Learn and Configure WAF for Application Layer DDoS Protection.
Review sample scenario
For example, a cURL request without any header modification flags will trigger the Invalid User Agent Prevention policy.
If the WAF is in active mode, then the request will receive a 403 status code:
curl -I https://c8k3p3x4.stackpathcdn.com HTTP/2 403 date: Mon, 25 Mar 2019 20:38:48 GMT
If the WAF is in monitor mode, then the request will receive a 200 status code.
curl -I https://c8k3p3x4.stackpathcdn.com HTTP/2 200 date: Mon, 25 Mar 2019 20:40:37 GMT
Additionally, while in monitor mode, the WAF will generate a security event. To learn more about security events, see Troubleshoot WAF-Blocked Users.
Enable WAF monitor mode
- In the StackPath Control Portal, in the left-side navigation menu, click Sites.
- Locate and select the desired site.
- This action will refresh the portal.
- In the left-side navigation menu, click WAF.
- Next to WAF Mode, in the drop-down menu, select Monitor.
- To confirm, in the left-side navigation menu, click Analytics, and then select the WAF tab. Monitor Mode will display next to Web Application Firewall Events.