Fortinet black logo

User Guide

Understanding block mode and action

Copy Link
Copy Doc ID 2ffc9903-bcb4-11e9-8977-00505692583a:107648
Download PDF

Understanding block mode and action

Block mode

On Applications page, you can turn on/off the Block Mode for each application.

When to enable block mode
  • When Block Mode is enabled, FortiWeb Cloud will take actions as specified in Action of each WAF module.
    blocks requests if they trigger violations. Your application server does not receive these requests.
  • When Block Mode is disabled, FortiWeb Cloud only monitors violations and generates logs for them. FortiWeb Cloud does not block the malicious requests.

Check the following prerequisites before you enable the Block Mode:

  • The endpoints and servers are configured properly. The traffic flow between the clients, FortiWeb Cloud, and your application servers is stable.
  • Observe the attack logs in FortiView or Logs. If legitimate traffic is falsely detected as attacks (also called false positives), add exceptions or modify the web protection configurations to avoid false positives in the future.

Action

When you have enabled Advanced Configuration in Global > System Settings > Settings, you can configure actions for each WAF feature specifically. If Advanced Configuration is disabled, the default actions of each WAF feature will work instead.

When Block Mode is disabled, FortiWeb Cloud will accept all requests and generate logs for all violations without considering the specified actions in each WAF feature.

When Block Mode is enabled, all requests will be blocked if they trigger the violation, and the specific actions you have configured in each WAF feature will prevail. For example, if you set the Action for Known Attacks as Alert & Deny, FortiWeb Cloud will block the request (or reset the connection) and generate a log message.

Understanding block mode and action

Block mode

On Applications page, you can turn on/off the Block Mode for each application.

When to enable block mode
  • When Block Mode is enabled, FortiWeb Cloud will take actions as specified in Action of each WAF module.
    blocks requests if they trigger violations. Your application server does not receive these requests.
  • When Block Mode is disabled, FortiWeb Cloud only monitors violations and generates logs for them. FortiWeb Cloud does not block the malicious requests.

Check the following prerequisites before you enable the Block Mode:

  • The endpoints and servers are configured properly. The traffic flow between the clients, FortiWeb Cloud, and your application servers is stable.
  • Observe the attack logs in FortiView or Logs. If legitimate traffic is falsely detected as attacks (also called false positives), add exceptions or modify the web protection configurations to avoid false positives in the future.

Action

When you have enabled Advanced Configuration in Global > System Settings > Settings, you can configure actions for each WAF feature specifically. If Advanced Configuration is disabled, the default actions of each WAF feature will work instead.

When Block Mode is disabled, FortiWeb Cloud will accept all requests and generate logs for all violations without considering the specified actions in each WAF feature.

When Block Mode is enabled, all requests will be blocked if they trigger the violation, and the specific actions you have configured in each WAF feature will prevail. For example, if you set the Action for Known Attacks as Alert & Deny, FortiWeb Cloud will block the request (or reset the connection) and generate a log message.