Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

  1. Kemp Support
  2. Knowledge Base
  3. Web Application Firewall (WAF)

Audit only WAF options

Updated

 

Information

 

Summary:

Rule Audit options after migration from legacy WAF to current WAF
Environment:

Product: LoadMaster

Version: 7.2.54 and later

Platform: Any

Application: Any
Question/Problem Description:

After migrating from legacy WAF to the current WAF, is it possible to put the current WAF in audit only mode in order to assess if there will be any impact to our applications?
Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:  
Resolution:
  • The current version of WAF does not include an audit only option, but a delay can be configured for how many times a rule is triggered before it is blocked.
  • For example, on the current version of WAF, increase the Anomaly Scoring Threshold to a very high value. With the Anomaly score, for each request every triggered detection raises the anomaly score, most rules having a score of 5. If the cumulative anomaly score per request hits the configured limit, the request will be blocked. The default value is 100 and allowable range is 1 to 10000. Setting this to a very high value will prevent any requests which match on a rule from being blocked.
Workaround:  
Notes:

https://support.kemptechnologies.com/hc/en-us/articles/203128369-Web-Application-Firewall-WAF-#MadCap_TOC_10_2

Comments

In this document