Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 30 subscribers
  • Views 1469 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF - Monitor vs Reject

djb-sophos

Hello,

I am new to the concept of WAFs. One of the reasons we went with the Sophos is because it has WAF capabilities. When the WAF was originally set up by our cloud provider, basic settings were configured and it was put in "Monitor" mode so we could examine logs later on to see what it would have otherwise rejected.

We have been running this for over a month now.... Is it possible to see what would have otherwise been rejected, in the logs?... so that we can make an educated decision on what to do or how to handle the rejected stuff?

Is some kind of email alerting possible for rejected stuff?

We recently ran a pentest against our app and there are some XSS alerts. We would like to change it to "reject" so these settings take effect, but aren't sure exactly what, if anything, will break.

Below is our current WAF setup for this particular server/app. I am not a web developer so most of the settings are foreign to me. Also, it doesn't look like there are many settings to configure in the first place, so I'm wondering if %99.99 of people out there just turn this on with all default settings enabled, and just forget about it (kind of like out -of-the-box IPS on some consumer grade routers) ???

Does anyone have suggestions for settings on this page? 



This thread was automatically locked due to age.
Parents
  • +1

    Hi  : Thank you for reaching out to the Sophos community team. You may verify the reverseproxy.log file from the device and analyze it offline to get some insights about the traffic going through WAF.

    It may not be easy to understand the logs, you should be familiar with the OWASP logs, but it's something that can be learned from the OWASP website. If required you may discuss those logs with your web developer as well to get 2nd opinion to get more clarity. 

    Once the action has been selected reject, the WAF( reverseproxy) will reject the request if the WAF module will observe any abnormal packet, header data, or traffic based on define parameters in the protection policy.

    Regarding the different features on the WAF protection policy, you may verify the below help section, and based on that you may enable a few of them gradually based on your requirement if you want to harden the settings strictly.

    docs.sophos.com/.../index.html

  • 0 in reply to Vishal_R

    Ok, got connected to the Sophos via SSH and searched (both with tail command and cat command) for this:

    cat /log/reverseproxy.log | grep security2:error

    Literally everything it finds, the ID shows this in the log: [id "-"]

    I've read in order to get the ID I must put the WAF in monitor mode, but it is already in monitor mode. Common thread filter is selected and the only thing UNCHECKED under it is protocol enforcement. And this document says nothing about what to do if no ID is shown. Nor does the WAF troubleshooting doc.

    !@#$%^ :(



    added picture
    [edited by: djb-sophos at 6:32 AM (GMT -8) on 7 Jan 2022]
  • 0 in reply to djb-sophos

    I was able to find some actual IDs starting with the number 9. Two of them are "infrastructure IDs": 949110 and 980130

Reply Children
No Data