Table Of Contents
Placing a Rule into Monitor Mode
An important stage of policy development involves identifying potential "false positives" introduced by a policy (that is, legitimate messages that incorrectly trigger a rule). The best way to discover false positives is to observe the policy's effect on live application traffic. However, deploying an untested policy production environment may hinder legitimate access to services.
Monitor mode allows you to direct actual message traffic at a firewall rule without inadvertently blocking legitimate access. A rule that is in monitor mode executes all of its configured behaviors except its terminal action. That is, it inspects the message against each enabled rule and generates log entries, but does not block messages that trigger inspection rules.
Note While messages are not blocked in monitor mode, they are still subject to non-blocking active security features, such as HTTP header processing and cookie security. For more information, see the ACE Web Application Firewall User Guide.
You can apply monitor mode at the following levels: to an individual rule in a profile (this affects all virtual web application that use the profile), to a particular virtual web application, or to the entire ACE Web Application Firewall, which places all web application traffic processing into monitor mode. This "global monitor mode" allows you to collect information on traffic characteristics in a non-intrusive manner. After collecting data for a period of time, you can use the incident report to determine the ratio of legitimate traffic versus attack traffic and the types of attack against a particular web site or resource.
Monitor mode can be used as a integral part of your development process. For instance, monitor mode would be used in a typical project development process as follows:
1. Create an initial firewall profile that is more strict than will ultimately be needed. For example, you might base your profile on a copy of the built-in PCI compliance profile.
2. Create virtual web applications. Set all set to monitor mode. For convenience, the web console allows you to set the entire Firewall to monitor mode (or enabled mode) at once.
3. Deploy the policy and send a good volume of test traffic to your web application.
4. Review the incident report for requests that cause a high number of web application firewall incidents. Determine whether these are false positives.
5. Modify your firewall profile as necessary to disable or exempt unneeded rules or signatures.
Repeat these steps until you arrive at a policy that can reliably screens attacks without producing false positives.
Placing a Rule into Monitor Mode
To see how monitor mode works, reinstate the highly restrictive Data Overflow Defense rule you created earlier and put it in monitor mode, as follows:
Step 1 Click the Profiles link in the Manager navigation menu
Step 2 Click on the name of the first profile you created, Poison Oak Traffic Validation.
Step 3 In the profile page, click the edit link next to Data Overflow Defense.
Step 4 In the Data Overflow Defense page, check the Enforce the following data limits on requests checkbox. Also, select the Maximum Number of HTTP Headers option and make sure its value is 1, making it easy to trigger.
Step 5 At the bottom of the Data Limits section, check the Monitor Mode option.
Step 6 Click Save Changes.
The Active Security section of the profiles page notes that the Data Overflow Defense rule for this profile is in monitor mode.
Step 7 Deploy the policy as described in Chapter 6, "Deploying and Testing the Policy."
Step 8 In your web browser, again access the home page of the Poison Oak application through the Firewall. (You may need to clear your web browser's cache to ensure that you see fresh request results.)
The request should succeed even though the Data Overflow Defense rule is active.
Step 9 Open the Web App Firewall Incident report.
Notice that new events generated for the Data Overflow Defense rule are listed in the Monitored column.
Step 10 Click the events link to see more details on the incident. Notice that events generated by the Data Overflow Defense rule have a Create Exemption link in their descriptions. You can use this link to fine-tune a policy to accommodate varying security or processing requirements for traffic handled by a virtual web application.
Next, you'll see how to use incident-based modifiers to fine-tune traffic handling at the ACE Web Application Firewall.