This article illustrates the reason why WAF messages not coming under log viewer with WAF server configuration with protection policy type as in Monitor.
The Internal web / application server is published through WAF with Business Application rule behind the Sophos XG firewall.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
The log lines displayed in normal operation are not coming from WAF service directly, they are written to the Apache logs by ModSecurity, a third party WAF component.
The WAF service only picks up the logs and sends them to the log viewer. These third party modules do not support monitor mode. So when you enable monitor mode and ModSecurity does not block the request, there is no log message written to the Apache logs as you would expect for other SFOS features.
Due to that reason if you will try to generate attack on WAF from external network, then under Log viewer logs will come but attack message will not.
Here, you can get the reverseproxy.log (advance shell logs) file from the device and analyze it offline to get some insights about the traffic going through WAF.
It is not easy to understand the logs, therefore get familiar with Learn about OWASP logs here.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.