Blocking and logging

For each deny rule group, a security level for "Blocking" and "Additional Logging" can be selected. The blocking level determines which requests are actually blocked by Airlock Gateway. Blocked requests are logged with threat handling set to "BLOCK" (attribute th_mode). The "Log Only" column allows overriding the blocking security level, either for the entire deny rule group or individually for a specific rule. Requests matching a rule marked as log-only are logged with threat handling "NOTIFY".

The "Additional Logging" level allows specifying an additional security level used just for logging. This enables integration of a new security level without impacting the application. For example, an administrator may choose to set SQL injection blocking to level standard. However, she may be interested in learning whether level strict would actually be possible without causing too many false positives. By setting the additional logging level to strict, all requests that would be blocked in level strict are logged with threat handling "NOTIFY". By using policy learning, necessary exceptions for level strict can be discovered and integrated before setting the blocking level to strict. Similarly, the additional logging feature can be used to test and integrate the security levels basic/standard/strict when migrating away from legacy rules. Make sure to check the "Show log only" checkbox in policy learning to see matches from additional logging.