Understanding block mode and action

Block mode

On Applications page, you can turn on/off the Block Mode for each application.

When to enable block mode

• When Block Mode is enabled, FortiAppSec Cloud will take actions as specified in Action of each WAF module. Requests that trigger security violations are blocked, preventing them from reaching your application server.
• When Block Mode is disabled, FortiAppSec Cloud only monitors violations and generates logs for them. FortiAppSec Cloud does not block the malicious requests.

Before you enable Block Mode, please check the following prerequisites:

• The endpoints and origin servers are configured properly. The traffic flow between the clients, FortiAppSec Cloud, and your application servers is stable.
• Observe the attack logs in FortiView or Attack logs. If legitimate traffic is falsely detected as attacks (also called false positives), add exceptions or modify the web protection configurations to avoid false positives in the future.

Action

When Block Mode is disabled, FortiAppSec Cloud will accept all requests and generate logs for all violations without considering the specified actions in each WAF feature.

When Block Mode is enabled, all requests will be blocked if they trigger the violation, and the specific actions you have configured in each WAF feature will prevail. For example, if you set the Action for Known Attacks as Alert & Deny, FortiAppSec Cloud will block the request (or reset the connection) and generate a log message.