Imperva Cyber Community

 View Only

Applied Policies, Disabled Rules and No Alerts - Fundamentals of WAF Gateway Pt 8

By Michael Gorelick posted 02-27-2023 06:11


In this blog post, we'll explore the topic of un-applied policies, disabled rules, and policies with no alerts. We'll discuss how they can affect your system's performance and why it's important to keep an eye on them. So, let's dive in!

Un-applied policies

Do not get executed

They will be downloaded to the gateway, but will not be associated with any service, and will never run, and they will not have any counters risen.

Applied policies with disabled rules

Create silent alerts

They still impact performance as if they were enabled.

However no alert is generated and profile learning can occur on that event - assuming there is not also an enabled policy triggered by the same event.

Example of Disabled Policy In UI: "Enabled" checkbox is not selected

In case there is an enabled policy triggered, then disabled policies will be included in the events XML sent to the MX by the GW.  This is an important detail because there is a limit of 100 Alerts per event and it is possible that silent policies can create 100 alerts. If this happens and an enabled policy also triggers, then the alert for it may be dropped due to the silent alerts. 

Therefore, if you have a case where it seems blocks are being executed with no alert:

    • Check for disabled policies

    • Check GWlog for "Received more than 100 alerts for event" messages

    • Check SG-level nzcounters for silent alert counters

* Last 2 options will be discussed in the next articles

You might find that the "silent" alerts are actually causing a regular alert to be dropped.


Applied policies with enabled rules but with "No Alert" for Severity

Similar to disabled policies, only they record the alert on the event, so there will be no profile learning and if another policy is triggered by the same event, we will see this violation under "additional violations" in the GUI.

You can create reports to check what all policies are applied and if they are enabled and disabled.

Go to Reports > Manage Reports > Configuration > Security policies:

In conclusion, un-applied policies, disabled rules, and policies with no alerts can all affect your system's performance in different ways. It's important to keep an eye on them and ensure that your policies are applied correctly to avoid any unwanted consequences. By doing so, you'll be able to keep your system running smoothly and efficiently.