Troubleshoot your Enforcer configuration
This guide addresses common issues that can cause your application to behave unexpectedly and are often related to your Enforcer’s configuration. It’s important to resolve these issues quickly to maintain your application’s security and performance. Use this document to troubleshoot and restore your Enforcer to its proper function.
You can use the following recommended steps to fix common Enforcer issues. If these don’t work or if you have further questions, reach out to HUMAN’s support team.
Prerequisites
- If you are updating the Enforcer via the console, then you need the appropriate permissions to access and update your Enforcer configuration. Remote configuration is supported by the following Enforcers:
- Akamai: v4.0.0 and up
- Cloudflare: v6.0.0 and up
- Cloudflare v5.x and below: v5.7.0 and up
- Fastly VCL: v10.0.0 and up
- Go: v5.0.0 and up
- If your Enforcer is not supported by remote configuration from the console, or if you need more information about your Enforcer’s configuration, reference your Enforcer’s appropriate documentation. For example, Cloudflare and Fastly each have their own configuration documentation.
Troubleshoot configuration issues
1. Verify that the Enforcer is enabled
The Enforcer’s module enabled configuration acts as the Enforcer’s on or off switch. If this configuration is set to false, then the Enforcer is disabled and won’t monitor or block traffic regardless of any other configurations that you’ve set.
When the module enabled configuration is set to false, then the Enforcer’s configurations will no longer update in the console. This means that you must verify this configuration directly from the Enforcer’s code.
To verify from the Enforcer:
- Check that
px_module_enabledconfiguration is set totrue. The formatting may vary slightly depending on your Enforcer. The example below is from Cloudflare. Be sure to reference your Enforcer’s appropriate documentation for proper implementation.
- Redeploy the Enforcer.
2. Verify if routes are being excluded
You can exclude certain routes from HUMAN detection, which means the Enforcer will never monitor or enforce any activity on these routes. You should check that the route you’d expect the Enforcer to mitigate on isn’t included in your exclusions.
We recommend that you verify directly from the HUMAN console. This lets you configure and update the Enforcer quickly without having to redeploy it. To check routes from the console:
- Navigate to Platform Settings > Configurations > Enforcers.
- Click on your Enforcer from the Enforcer Configurations page.
- Under the General Settings tab, click Coverage Exclusions.
- Verify that Exclude by Route does not have the route you want the Enforcer to mitigate on. Note that HUMAN accepts regex patterns for routes, so you may need to ensure a specific route does not match any given patterns.
If you’d prefer to verify from the Enforcer:
- Check that the
px_filter_by_routeconfiguration has the correct routes specified. The formatting may vary slightly depending on your Enforcer. The example below is from Cloudflare. Be sure to reference your Enforcer’s appropriate documentation for proper implementation.
- Redeploy the Enforcer.
3. Verify that the Enforcer’s mode is set to active blocking
The Enforcer’s module mode configuration determines whether the Enforcer actively blocks malicious traffic or if it simply monitors traffic without taking actions. You should check that the Enforcer’s mode is set to active blocking.
We recommend that you verify directly from the HUMAN console. This lets you configure and update the Enforcer quickly without having to redeploy it. To check that it’s active from the console:
- Navigate to Platform Settings > Configurations > Enforcers.
- Click on your Enforcer from the Enforcer Configurations page.
- Under the General Settings tab, click Basic Settings.
- Verify that Enforcer Enabled (px_module_enabled) is toggled on to Enabled.
If you’d prefer to verify from the Enforcer:
- Check that the
px_module_modeconfiguration is set toactive_blocking. The formatting may vary slightly depending on your Enforcer. The example below is from Cloudflare. Be sure to reference your Enforcer’s appropriate documentation for proper implementation.
- Redeploy the Enforcer.
4. Verify that routes are set to active blocking
You can set certain routes to operate in Simulated Block mode, which is where the Enforcer detected malicious traffic on that route, but did not actively block it. This behavior occurs for any route that’s specified for this configuration, even if the Enforcer is set to active blocking. You should check that the route you’d expect the Enforcer to mitigate on isn’t included in these routes.
We recommend that you verify directly from the HUMAN console. This lets you configure and update the Enforcer quickly without having to redeploy it. To check routes from the console:
- Navigate to Platform Settings > Configurations > Enforcers.
- Click on your Enforcer from the Enforcer Configurations page.
- Under the Application Protection tab, click Basic & Advanced Settings.
- Verify that Enforcer Mode > Mitigation mode settings > Routes to override mitigation mode does not include the route you want the Enforcer to mitigate on. Note that HUMAN accepts regex patterns for routes, so you may need to ensure a specific route does not match any given patterns.
If you’d prefer to verify from the Enforcer:
- Check that the
px_monitored_routesconfiguration has the correct routes specified. The formatting may vary slightly depending on your Enforcer. The example below is from Cloudflare. Be sure to reference your Enforcer’s appropriate documentation for proper implementation.
- Redeploy the Enforcer.
5. Contact support
If you tried all the other troubleshooting options and your Enforcer still does not behave as expected, reach out to HUMAN’s support team.
