Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 617 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to tell if WAF config is working?

Omar Murad

I have gone through the steps in the documentation for configuring WAF and the rule's traffic count increases accordingly when the web server is accessed.

However, I can't seem to be able to verify that it is actually being protected. Almost all protection and IPS settings are enabled and the filter strength is set to 4 (most restrictive). Yet when I make a directory traversal request (e.g. mysite.com/?q=../../etc/passwd) it doesn't get blocked.

How can I verify that the WAF is doing its job?



This thread was automatically locked due to age.
  • FormerMember
    +1 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    You can check reverseproxy.log events and filter out the request made for a directory traversal.

    Login to SSH > 5. Device Management > 3. Advanced Shell

    # tail -f /log/reverseproxy.log

    or

    # tail -f /log/reverseproxy.log | grep -i "SOURCE_IP"

    Sophos Firewall: WAF troubleshooting

  • 0

    You should see successful and blocked requests within logviewer/WebServerProtection too.
    Requesting a /../../passwd resulting in a "WAF Anomaly"


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Cookie Information Banner