Hello.
We are trying to configure WAF on our Sophos XG firewall (SFOS 16.05.1 MR-1) but not really understand how WAF works in this device.
We created a small test environment to test.
We published two websites on two web servers through two Business Application rules. The two web site are exactly the same.
We created two Protection Policies with the exact same setting but the first rule are in "Monitor" mode and the second is in "Reject".
We configured the first publish rule with the Monitor policy and the second with the Reject policy.
Then we started to use the websites, sending the same request for both and watching the WAF log on the firewall. On the website with the Reject rule we had several problems, failed requests, and we were able to see these requests in the WAF log and see why the request was blocked. However when we were watching the website with the Monitor policy, the same requests did not triggered any event on the WAF and we saw nothing problematic on the WAF log. My question is why?
Our expectation was that a Protection policy with "Monitoring" mode shows us what would go wrong if we turn on a Recejt policy and we will be able to correct these errors beforhand we turns the Reject rule ON.
But how if we cannot see the problems in Monitoring mode?
My second question is: When we does not set any Protection policy for a WAF publishing rule, I can even see entries for that site in the WAF log. Why? If I create a Business application rule and select the application template: WAF does it mean that WAF is automatically applied to that rule even if I do not set a Protection policy? Or WAF only starts working if I set a protection ploicy?
I unforunately did not find any usefull documentation about it.
Thanks for the answers.
This thread was automatically locked due to age.
