Blocking and logging

For each deny rule group, a security level for "Blocking" and "Additional Logging" can be selected. The blocking level determines which requests are actually blocked by Airlock Gateway. Blocked requests are logged with threat handling set to "BLOCK" (see Block Summary). The "Log Only" column allows overriding the blocking security level for the entire deny rule group or individually for a specific rule. Requests matching a rule marked as log-only are logged with threat handling "NOTIFY".

The "Additional Logging" level allows specifying an additional security level used just for logging. This enables integration of a new security level without impacting the application. For example, an administrator may choose to set SQL injection blocking to level standard. However, she may be interested in learning whether level strict would actually be possible without causing too many false positives. By setting the additional logging level to strict, all requests that would be blocked in level strict are logged with threat handling "NOTIFY". ​Policy learning​ allows necessary exceptions for level strict to be discovered and integrated before setting the blocking level to strict. Similarly, the additional logging feature can be used to test and integrate basic/standard/strict security levels when migrating away from legacy rules. Check the "Show log only" checkbox in policy learning to see matches from additional logging.