How to tell if WAF config is working?

Question

I have gone through the steps in the documentation for configuring WAF and the rule's traffic count increases accordingly when the web server is accessed. 
 However, I can't seem to be able to verify that it is actually being protected. Almost all protection and IPS settings are enabled and the filter strength is set to 4 (most restrictive). Yet when I make a directory traversal request (e.g. mysite.com/?q=../../etc/passwd) it doesn't get blocked. 
 How can I verify that the WAF is doing its job?

FormerMember · Accepted Answer

Hi Omar Murad , 
 Thank you for reaching out to Sophos Community. 
 You can check reverseproxy.log events and filter out the request made for a directory traversal. 
 Login to SSH > 5. Device Management > 3. Advanced Shell 
 # tail -f /log/reverseproxy.log 
 or 
 # tail -f /log/reverseproxy.log | grep -i "SOURCE_IP" 
 Sophos Firewall: WAF troubleshooting

dirkkotte · Answer

You should see successful and blocked requests within logviewer/WebServerProtection too. Requesting a /../../passwd resulting in a "WAF Anomaly"

How to tell if WAF config is working?

Top Replies