Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 30 subscribers
  • Views 1474 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF - Monitor vs Reject

djb-sophos

Hello,

I am new to the concept of WAFs. One of the reasons we went with the Sophos is because it has WAF capabilities. When the WAF was originally set up by our cloud provider, basic settings were configured and it was put in "Monitor" mode so we could examine logs later on to see what it would have otherwise rejected.

We have been running this for over a month now.... Is it possible to see what would have otherwise been rejected, in the logs?... so that we can make an educated decision on what to do or how to handle the rejected stuff?

Is some kind of email alerting possible for rejected stuff?

We recently ran a pentest against our app and there are some XSS alerts. We would like to change it to "reject" so these settings take effect, but aren't sure exactly what, if anything, will break.

Below is our current WAF setup for this particular server/app. I am not a web developer so most of the settings are foreign to me. Also, it doesn't look like there are many settings to configure in the first place, so I'm wondering if %99.99 of people out there just turn this on with all default settings enabled, and just forget about it (kind of like out -of-the-box IPS on some consumer grade routers) ???

Does anyone have suggestions for settings on this page? 



This thread was automatically locked due to age.
Parents
  • +1

    Hi  : Thank you for reaching out to the Sophos community team. You may verify the reverseproxy.log file from the device and analyze it offline to get some insights about the traffic going through WAF.

    It may not be easy to understand the logs, you should be familiar with the OWASP logs, but it's something that can be learned from the OWASP website. If required you may discuss those logs with your web developer as well to get 2nd opinion to get more clarity. 

    Once the action has been selected reject, the WAF( reverseproxy) will reject the request if the WAF module will observe any abnormal packet, header data, or traffic based on define parameters in the protection policy.

    Regarding the different features on the WAF protection policy, you may verify the below help section, and based on that you may enable a few of them gradually based on your requirement if you want to harden the settings strictly.

    docs.sophos.com/.../index.html

  • 0 in reply to Vishal_R

    Thanks for the reply ! Sorry for the delayed reply -- holidays. Would you happen to know of a document or video explaining how to examine the reverseproxy.log? WAF on the Sophos in general seems to be lacking documentation, that I can find anyway. In the link you provided, in the ENTIRE documentation, "reverseproxy.log" is only mentioned once at the very bottom, and all it says is this:

    !?!?

    Also, is it true the only way to see what would otherwise be rejected is to change it to monitor mode and open up a console session to the device?? For how robust Sophos Central seems, it is weird having to connect to the console to view such information.

    EDIT: I just found these and will review: support.sophos.com/.../KB-000036242 --and-- support.sophos.com/.../KB-000035562

  • 0 in reply to djb-sophos

    And what is more ridiculus advanced shell isnt avaiable in v19 version xD advanced WAf logs are in that mentioned file... There is a big descussion on forum about it.

Reply Children