Overview
You can use this document to learn about and enable the Monitor mode for an existing site with a WAF.
If you have not enabled the WAF for a site, then see Setting up a WAF Instance on an Existing Site.
There are 3 WAF modes:
- Protect
- Monitor
- Off
You can use the Monitor mode to temporarily test the WAF's behavior so that you can adjust the WAF's policies before you enable Protect mode, which offers full protection.
With the exception of protection against Application Layer DDoS Attacks, while in Monitor mode, the WAF does not perform any action against requests. Instead, the WAF logs requests that would have been blocked or sanctioned under Protect mode.
- To learn more about the WAF's protection against Application Layer DDoS Attacks, see L7 DDoS Protection.
Reviewing Sample Scenario
For example, a cURL request without any header modification flags will trigger the Invalid User Agent Prevention policy.
If the WAF is in Protect mode, then the request will receive a 403 status code:
curl -I https://c8k3p3x4.stackpathcdn.com HTTP/2 403 date: Mon, 25 Mar 2019 20:38:48 GMT
If the WAF is in Monitor mode, then the request will receive a 200 status code.
curl -I https://c8k3p3x4.stackpathcdn.com HTTP/2 200 date: Mon, 25 Mar 2019 20:40:37 GMT
Additionally, while in Monitor mode, the WAF will log a request. These requests can be reviewed in the WAF Analytics section of the Portal. Requests marked Suppressed indicate that the WAF would have blocked it had Protect mode been enabled.
Enabling WAF Monitor Mode
You can use these instructions to enable the Monitor mode for sites that already have the WAF enabled.
- In the StackPath Control Portal, in the left-side navigation, click Sites.
- Locate and select the desired site.
- In the left-side navigation, click WAF.
- In the top, right corner of the screen, next to WAF Mode, in the drop-down menu, select Monitor.
- To confirm, in the left-side navigation, click Analytics, and then select the WAF tab. Monitor Mode will display next to Web Application Firewall Requests.
After you enable Monitor mode, StackPath recommends that you review the results and adjust your WAF settings. To learn more, see Step 3 in our Setting up a WAF Instance on an Existing Site article.