Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Can WAF be enabled without blocking anything?

 

Information

 

Summary:

Want to enable WAF on virtual services, but don't want anything to be blocked, just want the rules that are triggered to be logged.

Environment:

Product: LoadMaster

Version: 7.2.54 and above

Platform: Any

Application: Any

Question/Problem Description:

Can WAF be turned on without traffic being blocked if it matches against the rules?

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:  
Resolution:
  • An Anomaly score is used to determine what is blocked or not.  For each request, every triggered detection raises the anomaly score, most rules having a score of 5. If the cumulative anomaly score per request hits the configured limit, the request will be blocked. 
  • The default Anomaly Scoring Threshold on LoadMaster is 100, but this can be raised all the way to 10000.  So what this means is that if the threshold is set to 100 (and each rule has a score of 5), an attacker would need to trigger 20 rules to be blocked (20 x 5 = 100).  This is rare, yet it is also rare for a benign user of any application to trigger that many rules.  
  • This default setting is relatively safe for starters, but the administrator can raise this as high as they'd like to begin.  If the value were set to 10,000 at first, this could run for a trial period until there is a good feeling for the Virtual Service at hand and a baseline has been established, then lower it gradually while weeding out the false positive alarms.
  • For how to set this up on the LoadMaster and run the false positive analysis, please refer to Using WAF
Workaround:  
Notes:  

Comments