Overview
You can use this document to learn about the monitor mode, as well as enable the monitor mode on the StackPath WAF.
There are 3 WAF modes:
- Protect
- Monitor
- Off
You can use the monitor mode to temporarily test the WAF's behavior so that you can adjust the WAF before you fully protect the WAF.
With the exception of protection against Application Layer DDoS Attacks, while in the monitor mode, the WAF (including custom WAF rules) does not perform any action against requests. Instead, the WAF logs requests that would have been blocked or sanctioned under the protect mode.
- To learn more about the WAF's protection against Application Layer DDoS Attacks, see Learn and Configure WAF for Application Layer DDoS Protection.
Review sample scenario
For example, a cURL request without any header modification flags will trigger the Invalid User Agent Prevention policy.
If the WAF is in protect mode, then the request will receive a 403 status code:
curl -I https://c8k3p3x4.stackpathcdn.com HTTP/2 403 date: Mon, 25 Mar 2019 20:38:48 GMT
If the WAF is in monitor mode, then the request will receive a 200 status code.
curl -I https://c8k3p3x4.stackpathcdn.com HTTP/2 200 date: Mon, 25 Mar 2019 20:40:37 GMT
Additionally, while in monitor mode, the WAF will log a request.
Enable WAF monitor mode
- In the StackPath Control Portal, in the left-side navigation menu, click Sites.
- Locate and select the desired site.
- This action will refresh the portal.
- In the left-side navigation menu, click WAF.
- Next to WAF Mode, in the drop-down menu, select Monitor.
- To confirm, in the left-side navigation menu, click Analytics, and then select the WAF tab. Monitor Mode will display next to Web Application Firewall Events.