Forum Discussion

mkeenan_289714's avatar
mkeenan_289714
Icon for Nimbostratus rankNimbostratus
Dec 07, 2016

Difference between "Illegal" and "Blocked" request

I recently accepted all learning suggestions from a security policy after confirmation from the web app developer. We took the security policy out of staging and put it into transparent mode with the goal of reviewing policy violations in the logs after a week. I want to determine what violations in the logs would have been blocked if the security policy was not in transparent mode. I can see a bunch of violations that show up as "Illegal" but not "Blocked". I have a theory that because the security policy is in transparent mode, what would normally show up as "Blocked" will only show up as "Illegal". In other words those same violation would show up as Blocked instead of Illegal if not in transparent mode. Does that sound accurate?

 

Please help me understand what "Illegal" means as opposed to "Blocked" in the Security Event Logs. Thanks!

 

1 Reply

  • 'Illegal' in the ASM logs may also mean you have checked the

    Alert
    tickbox in policy Blocking Settings while the
    Block
    tickbox is unchecked. So the request is deemed illegal according to your policy configuration, but not subject to blocking (even when policy itself is in Blocking Status, you can have individual features as alert-only).

    You may want to have such "alert-only" configuration for security-features you are planning to take into use, but want to first evaluate if those features align with your application without a negative consequence.

    Regards,