Using Monitor Mode
The processing mode for a virtual web application can be one of:
• enabled – The ACE Web Application Firewall blocks messages that violate message inspection rules and applies content rewrite rules and active security features.
• monitor mode – If selected, the ACE Web Application Firewall does not block traffic that matches a message inspection rule or violates an active security setting. Instead, it logs the event. This mode is useful for testing a configuration or monitoring the prevalence of potentially malicious traffic without affecting the traffic flow. Message rewrite rules, HTTP processing, exception mapping, and cookie security are applied to traffic even if the virtual web application is in monitor mode.
• disabled – Stops the ACE Web Application Firewall from receiving traffic on the consumer interface defined for the virtual web application. Note that traffic is blocked unless a less specific virtual web application consumer interface exists that matches the messages that would have been matched by the disabled virtual web application.
HTTP Headers (Custom Virtual URL with Filters setting)
Configure this option to have requests matched to this virtual web application based on the presence or value of one or more HTTP headers in the request. Requests that do not have the specified HTTP headers or values are not handled by this virtual web application. HTTP header names are matched in a case-insensitive manner, while their values are matched case-sensitive. Parameters (Custom
Virtual URL with Filters setting)
Configure this option to have requests matched to this virtual web application based on the presence or value of one or more request parameters. Requests with parameters that do not match your requirements are not handled by this virtual web application. Parameter names and values are compared to messages in a case-sensitive manner.
Parameters can be URL arguments in the request or parameters in the body of POST requests. URL arguments appear as ampersand-delimited name-value pairs in the request URL, as illustrated by the “zip” and “session” parameters: oakinsurance/partners/getquote?zip=94114&session=01234
You can set requirements for parameters using Perl-style regular expressions or by identifying the parameter by name. Specify request parameter
requirements using these operators:
• exists – The message must have the named parameter.
• matches regex – The value of the named parameter must match the regex you specify.
• is – The value of the named parameter must match the characters you specify, case-sensitive.
• is not – The value of the named parameter must not match the characters you specify, case-sensitive.
Note that specifying a matching or a non-matching (“is not”) requirement does not require that the parameter be present in the request. That is, if a request that otherwise matches the filter does not contain a parameter for which you’ve specified a matching or non-matching value, it is accepted. Label Description
Chapter 4 Working with Virtual Web Applications Using Monitor Mode
The monitor mode is particularly useful for testing and developing the policy. In enabled mode, messages are rejected at the first instance at which they violate a rule; they are not further evaluated against other rules in the profile. The event log or incidents report will only show the rule that caused the message to be blocked, not any other rule that a message may have violated had its processing continued. On the other hand, in monitor mode, if a message is found to violate a rule, it continues to be processed by the other rules in the profile. This allows you to view in the log all rules that a message would violate, not just the first blocking rule triggered.
You can set the operating status in the policy at several contexts:
• for a rule in a profile
• for an individual virtual web application
• for a group
• for all virtual web applications in the policy.
You can also specify a default mode for newly created virtual web applications. Since it is usually advisable to observe the interaction of a virtual web application with network traffic in passive mode, before it affects the network traffic.
For a given virtual web application, monitor mode works the same way whether set policy-wide, from the group, or just for the virtual web application.
To set the operating mode policy-wide:
Step 1 Click the Virtual Web Applications link from the navigation menu.
Step 2 From the Set all virtual web apps to menu on the Virtual Web Applications, choose the desired operating mode: enabled, monitor mode, or disabled.
To set the operating mode by group:
Step 1 Click the Virtual Web Applications link from the navigation menu.
Step 2 Click on the name of the virtual web application group that you want to set. The group names appear in the green-shaded headings.
Step 3 From the Set all virtual web apps to menu in the group page, choose the desired operating mode, enabled, monitor mode, or disabled.
To set the operating mode for an individual virtual web application:
Step 1 Click the Virtual Web Applications link from the navigation menu.
Step 2 Click on the name of the virtual web application that you want to set. The group names appear in the green-shaded headings.
Step 3 From the edit link next on the right side of the overview header.
Step 4 Click the Monitor Mode check box at the bottom of the page.
Chapter 4 Working with Virtual Web Applications