Difference between "Illegal" and "Blocked" request
I recently accepted all learning suggestions from a security policy after confirmation from the web app developer. We took the security policy out of staging and put it into transparent mode with the goal of reviewing policy violations in the logs after a week. I want to determine what violations in the logs would have been blocked if the security policy was not in transparent mode. I can see a bunch of violations that show up as "Illegal" but not "Blocked". I have a theory that because the security policy is in transparent mode, what would normally show up as "Blocked" will only show up as "Illegal". In other words those same violation would show up as Blocked instead of Illegal if not in transparent mode. Does that sound accurate?
Please help me understand what "Illegal" means as opposed to "Blocked" in the Security Event Logs. Thanks!