For each blocked request, Airlock Gateway automatically generates suggestions that prevent similar blocks in the future. These suggestions consist of modifications applied to the current configuration. Typically, Airlock Gateway generates multiple suggestions with different specificity and proposes a Favorite Policy Suggestion.
- The Favorite Policy Suggestion aims to strike a balance between two scenarios:
- Adding a very specific configuration change.
This comes with a small negative security impact but with the drawback that similar requests may cause other false positive blocks. Further, the configuration may get fragmented if many of these specific changes need to be applied. - Adding a very generic configuration change.
This has a larger negative security impact by allowing more requests to pass than may be necessary. However, as it typically covers more variants of the same block type, there is usually no need to add further changes, which may reduce the integration effort.
To show all suggestions for a block, click on the block in the result table.
- This opens the block details section below the table:
- Tab Request Details – this tab shows all the details of a blocked request and the circumstances leading to the blocking decision. This includes, e.g., the name of the matching Deny Rule or the values of the offending parameter and header values. These details can be used for further filtering and can help the administrator decide which suggestion to accept and whether a certain block is a false positive.
- Tab Policy Suggestions – this tab can show alternative exceptions that might be chosen instead of the Favorite Policy Suggestion. The Blocks Covered column indicates the number of blocks covered to assist the administrator in accepting the appropriate suggestion. For instance, if a very generic suggestion covers only a few blocks, a more specific suggestion should be accepted instead. However, if a generic suggestion covers many blocks that would otherwise require a lot of specific suggestions, it may be better to accept the generic suggestion.
Of all the generated suggestions in the Policy Suggestions tab, Airlock Gateway selects one as the favorite policy suggestion, which always has the most fine-granular blocking effect, i.e., will block exactly similar requests. All other suggestions in the list are less specific and will likely block approximately similar requests. For example, if a parameter comment
was blocked by an SQL injection Deny Rule on path /application
, several suggestions are proposed:
Suggestion | Description |
---|---|
Add a deny rule exception for parameter | This is the most specific exception suggested. The exception is only valid for the specific parameter name, the blocking Deny Rule, and the specific path. |
Add a deny rule exception for parameter | The exception is only valid for the specific parameter name and Deny Rule but not restricted to the path. That is, the exception applies to the entire Mapping. |
Add a deny rule group exception for parameter | Similar to the first suggestion, the exception is linked to the path. But here, the exception is added to the entire Deny Rule Group for SQL injection and not only to the specific Deny Rule. This is the favorite suggestion for these types of blocks. |
Add deny rule group exception for parameter | This will add an exception on the group level without linking it to the path. Such a parameter exception will disable the protection against attacks covered by this group. |
Disable deny rule SQL Injection. | This is the most generic suggestion and disables the Deny Rule on the mapping. SQL injection attacks are, therefore, no longer prevented on this mapping. |
The term violating request has a different meaning depending on the threat handling mode, configured on the respective mapping:
- For threat handling modes Block request/Terminate session:
- All blocked requests are violating requests.
- For threat handling mode Log only:
- All requests that would be blocked if threat handling was changed to block/terminate mode are violating requests.