PAM-controlled security events and response filters

The Protocol Analysis Module (PAM) controls X-Force® Virtual Patch® recommendations, which means that PAM controls many security events. PAM overrides settings that are configured for some security events in the Web Application Protection (WAP) policy. Use response filters to override PAM settings.

If you want to override WAP policy settings for security events that PAM controls, use the Response Filter page to create response filters for these events. The response filter overrides the PAM settings so that the WAP policy responds to activity according to the needs of your network. Find response filters in the Secure Protection Settings > Response Tuning section.

Important: You cannot change the WAP policy settings that PAM controls from the Web Application Protection page or from the Security Events page. You must use response filters.

Change block to ignore

The HTTP_Unknown_Protocol event parameter is configured to use the block response, but you want this event to use the ignore response. You go to the Security Events page and look for the HTTP_Unknown_Protocol parameter to change it, but it is not there. Go to the Response Filter page and create a response filter for the event name. Then, select the Ignore Events check box. The response filter setting overrides the PAM setting, and the HTTP_Unknown_Protocol event parameter now uses the ignore response.

Change enabled to disabled

The HTTP_Get_CreateTable parameter is enabled, but this parameter does not meet the needs of your network so you want to disable it. You go to the Security Events page and look for the HTTP_Get_CreateTable parameter to reconfigure it, but it is not there. Go to the Response Filter page and create a response filter for the event name. Then, clear the Enabled check box. The response filter setting overrides the PAM setting, and the HTTP_Get_CreateTable parameter is now disabled.

How to find the latest PAM-controlled WAP security events

  1. Go to Secure Protection Settings > Security Modules > Web Application Protection.
  2. Select any category on the Web Protection tab and click the Edit icon.
  3. Click Show Security Events to see a list of security events.