Detection Mode, Protection Mode

Modes

It’s important to understand that an application can be guarded in two different modes:

  • When an application is in detection mode, only the detection ruleset is active. vWAF monitors all requests as configured by the rules of the detection ruleset and writes all incidents to the log files. However, vWAF does not block any traffic and does not interfere with your web application in any way.

    Detection mode is typically used in the following scenarios:

    • You want to use vWAF for monitoring purposes only.
    • You’ve added a new ruleset or modified an existing ruleset, and now want to test this ruleset without running the risk of blocking any desired traffic by mistake.
  • When an application is in protection mode, the rules of the ruleset are actually enforced. This means that requests are actually denied in the case of an attempted attack. In this mode, too, all actions are logged in the log files for future analysis and documentation.

    Protection mode is typically used only after you’ve tested a ruleset for some time in detection mode, and now want to protect a web application with the help of this ruleset.

    ATTENTION
    In detection mode, vWAF doesn’t establish a secure session when the Session Handler is enabled. Therefore, in detection mode all handlers that are based on a secure session are ineffective. Also there’s no response filtering possible in detection mode. (See descriptions of individual handlers for details where applicable.) The same limitation applies to all Wizards that enable the Session Handler. (You can work through these Wizards anyhow. The ruleset will be fully effective as soon as you enter protection mode.) Only the following Wizards produce fully working results for detection mode: Baseline Protection Wizard, Vulnerability description Import Wizard.

One ruleset or two rulesets?

  • When an application is in detection mode, there’s only one working ruleset: the detection ruleset.
  • When an application is in protection mode, however, there can be up to two working rulesets in parallel:
    • the protection ruleset
    • a second ruleset, which works in the background as an additional detection ruleset

    This enables you to “test drive” a new ruleset before making it the new protection ruleset. While your current protection ruleset is still working, you can run the new ruleset as a detection ruleset at the same time. It writes all actions to the log files but doesn’t block any traffic. You can then analyze the log files to see whether the new rules behave as intended, or whether they would have also blocked any desired traffic. When the new ruleset is technically mature, you can make it the protection ruleset without any risk.

Default Behavior

When adding a new application, initially this application is in detection mode by default. You can then configure and test your ruleset without interfering with your running web application. When you’re done and want to enable protection, you must explicitly switch on protection mode for the application (see Editing Applications).