Jump to content


Photo

Passive Mode: Explained Please

passive mode learning WAF 660 Pre-Deployment Deployment Best Practice Appliance Exceptions Tuning

  • Please log in to reply
3 replies to this topic

#1 Chris Konicki

Chris Konicki
  • Members
  • 2 posts

Posted 26 April 2017 - 10:06 AM

Hello all, 

 

I was wondering if anyone knows of any length of time that Passive Mode should be turned on? I have scoured admin guides, best practice guides, etc. and cannot seem to locate a recommended timeframe for a newly deployed site to run in passive/learning mode prior to going active. A follow up question I have is once all this data is ingested and patterns are identified by passive mode, how is that data handled by the appliance? Is it possible that malicious traffic (if witnessed often enough) could be considered permissible traffic? I just want to make sure that we're deploying new sites according to best practices and better understand the way that passive mode acquires and analyzes data going forward. 

 

 

We're running 660 WAFs with the latest firmware 9.0.0.x

 

 

Thanks In Advance!



#2 Aravindan Anandan

Aravindan Anandan
  • Barracuda Team Members
  • 51 posts

Posted 27 April 2017 - 04:02 AM

Hello Chris,

 

Ideally, you need to move to active mode as quickly as possible. However, this has to be done after ensuring that the configuration is optimal both from security as well as traffic handling perspectives and this is what decides how long the service should run in passive mode. One approach that you can consider taking is to configure trusted hosts in the WAF (Websites ->trusted hosts) and bind it to the service (edit the service to bind the Trustes host group). Start accessing the service hosting the website from the trusted ip address. This, by observing web firewall logs that match the trusted ip adds, should help you to weed out any configuration flaws that may result in legitimate traffic getting blocked. In parallel, you can leverage the Barracuda Vulnerability remediation service (vrs.barracudanetworks.com) to run a scan on the service to pick up any security loopholes that may not have been addressed. After fixing these loopholes as well as fine tuning configuration for the trusted hosts, you should be ready to move to active mode. To round off, you can schedule another scan from the BVRS or even make it a part of your operational process for securing your web applications.

If you need more assistance on how to get started with these, please feel free to connect with wafsupport_team@barracuda.com asap.

 

 



#3 Chris Konicki

Chris Konicki
  • Members
  • 2 posts

Posted 01 May 2017 - 02:03 PM

Aravindan,

 

 

Thank you for your time and your prompt response. We will leverage these built-in assets. we are deploying a new site tomorrow. We'll use passive mode and some of the tactics you suggested to try and thin the line between security and ease of use. Does your response also mean that Barracuda does not have an official suggested timeframe?



#4 Aravindan Anandan

Aravindan Anandan
  • Barracuda Team Members
  • 51 posts

Posted 08 May 2017 - 12:57 AM

Chris,

Since the security tuning may differ from application to application, the time frame is decided by the complexity of the application and the overall testing. But I would state that a reasonable tuning can be achieved within a couple of days provided the logs are monitored for that purpose. We have enabled active mode for application within the same day in many cases as well.







Also tagged with one or more of these keywords: passive mode, learning, WAF, 660, Pre-Deployment, Deployment, Best Practice, Appliance, Exceptions, Tuning