Skip to content

What is Monitor Mode? What Should be Considered in Monitor Mode?

About

What Is Monitor Mode? What Should Be Considered in Monitor Mode?

Monitor Mode is a transitional phase between Learning Mode and Blocking Mode for TR7 WAF. In this mode, WAF continues to monitor traffic in your web application, but it does not actively block requests yet. In Monitor Mode, requests are not directly blocked; however, logs of requests that would be blocked in Blocking Mode are displayed in the WAF Logs screen. This allows the system to identify and record potential threats while ensuring a smooth transition without causing service disruptions in your application.

The main purpose of Monitor Mode is to observe false positive requests and identify them with the correct rules, ensuring that the system can transition to Blocking Mode without disrupting the real traffic of the application. During this process, requests that should be blocked in Blocking Mode are shown in the WAF logs. These requests are examined to identify and teach the clean ones, which are then added to the site map created by WAF. Additionally, if a security rule has been created for a specific path before, it is automatically updated.

Monitor Mode allows WAF to create accurate and dynamic security policies. In this mode, while data is collected to optimize the system’s security rules, there is no direct intervention to the application. By teaching false positive requests, potential risks are accurately identified, and service disruptions are avoided during the transition to Blocking Mode. This transition process helps the dynamic configuration of WAF and enhances the security of the web application.

Interface

Monitor Mode

Step > 1

Open the WAF Management screen for a vService that is in Monitor Mode. Review the previously created rules under the relevant Host Group. The allowed rules are checked.

Step > 2

Make a request to the relevant vService with a query parameter that has not been taught before. Since the WAF is in Monitor Mode, no blocking action is taken; however, details regarding the request being blocked will be visible in the WAF logs.

Step > 3

While reviewing the logs, all details of the request should be carefully examined. User Agent, the country where the request was made, the host header, request parameters, and the request body can be examined in detail in the WAF Logs screen. Requests made to a vService with specific domain information should be considered malicious if they come with different host information. Similarly, requests with an empty User-Agent header or random information should be considered malicious.

Step > 4

Click on the relevant request to check the information about why it was blocked in the control panel that opens on the right. If the request does not contain any attack vectors, click the "learn attack" button to teach the request. This process will automatically update the previously created TR7 WAF configuration.

In this way, while in WAF Monitor Mode, requests are filtered, clean requests are taught, and eventually, the system should transition to Blocking Mode.