Overview
Monarx ThreatShield is a fully managed service designed to keep your servers safe without requiring constant manual tuning. Because it is a managed service, our team can handle rule adjustments and false-positive mitigations for you.
If you notice a specific rule blocking a legitimate request, we highly recommend reaching out to Monarx Support first and submit a False Positive report so we can safely adjust the ruleset instead of disabling/overriding an existing rule.
However, we understand that emergencies happen. If you really need to implement an immediate temporary measure, you can use a RASP Override Rule in the Monarx WebApp UI.
Important Considerations Before You Begin
⚠️ Do Not Remove the Monarx Agent
Removing the Monarx agent from your server to stop blocks should be strictly avoided. Doing so breaks the critical communication link between the Monarx Cloud and the Monarx Protect extension, leaving your server completely cut off from future security updates.
Understanding How ThreatShield Works
The Monarx Protect Zend extension runs directly in the server's memory and it is what powers our ThreatShield service. Because of this:
Normal configuration changes sync automatically over a short period.
If you need a rule change to apply absolutely immediately to stop a critical block, you must reload or restart your PHP handlers and/or your webserver (depending on your setup: Apache, LiteSpeed, Nginx, etc.) to clear and refresh that memory space.
How to Apply a Temporary Override
Log in to the Monarx WebApp and navigate to your Runtime dashboard (see our Overview of Runtime Events.
Locate the specific event that you're investigating. You can use any of the filters available in this section such as URL, Client IP, Agent ID, etc. Once you find the event click on the event and the sidebar on your right will show specific details about the event.
On the right bar sidebar, next to the rule name, click on the three dots icon to get the pop-up with available actions. From there you will select the OVERRIDE RASP RULE ACTION option
The next step is to Add New (RASP Override) Rule. For this you will have 3 fields:
The specific Rule ID that you're targeting.
The Agent ID, this field is OPTIONAL, if you field the Agent ID with a legitimate value, this override rule will exclusively apply to that server only and won't be a company wide rule. If you want to create a company wide rule, do not fill this field.
Action, you will have three choices:
Log. This action will make the rule to log the incoming event without taking any action. But it allows you to keep visibility of the event for audit purposes.
Block. This action will block any incoming request that matches all parameters defined by this rule.
Ignore. This action will disregard any incoming request that matches all parameters defined by this rule. It will also disable the logging on our end for such events.
Propagation and Syncing Times
Once you save the updates in the Monarx WebApp, the new configuration naturally propagates across our network:
Standard Sync: It typically takes 5 to 10 minutes for the changes to automatically propagate to your server.
Emergency/Fast Track Method: If you cannot wait 5–10 minutes and need the block lifted immediately, you can manually force the extension to check in. To do this, perform the following restarts in order:
Restart the Monarx Agent
Restart/Reload your PHP Handlers & Webserver (e.g., Apache, LiteSpeed, or Nginx)
This forces the Monarx Protect extension to instantly call our cloud, retrieve the latest ruleset configuration, and apply your override in memory right away.
Need Assistance?
If you are unsure which rule is causing the issue, or if you want our security team to permanently and safely adjust your ruleset to prevent future false positives, please open a ticket with Monarx Support.