Troubleshooting

AppFirewall is powerful, but not necessarily plug and play as we discussed. Issues with AppFirewall arise in the form of applications failing when the feature is turned on.

Identifying application Firewall blocks

It is important to know how to tell if the application is failing because AppFirewall is blocking it. There are several ways to identify if this is the case:

  • Under the Profile settings, you can configure an error object that can be useful when a User calls in to the helpdesk with an application access issue caused by AppFirewall blocking the request:
    Identifying application Firewall blocks

    You can configure this text under Application Firewall | Profile | Profile Settings.

  • If you are looking at a trace taken on NetScaler or on the User's PC where a HTTP request is being reset, look for the window code. In the following screenshot, that window code is 9845:
    Identifying application Firewall blocks

    9845 means the reset has been sent because an AppFirewall protection policy has been triggered.

  • If you have set up your profile for troubleshooting that is, with the log option enabled for the protections that have been set to block, you should see a log entry every time a request is blocked. This entry is worth gold since it gives you a lot of important detail. Look at the following screenshot for an example:
    Identifying application Firewall blocks

    AppFirewall log entry displaying a number of useful details

    In the preceding screenshot, we have date and time in the local time zone, NSIP, which is useful if you are trying to parse logs based on NSIP, AppFirewall protection that is triggering the block, Client IP, AppFirewall profile hit that was triggered, URL, and keyword that triggered the block.

  • You can also use nsconmsg and grep for the counter as_err. It will help you identify what AppFirewall violations are seen as well as the rate. The command: nsconmsg –g as_err –d current:
    Identifying application Firewall blocks
  • The stat AppFirewall command will help you get a quick overview of what violations AppFirewall is seeing when enabled. This allows you to build a threat profile for your environment.
    Identifying application Firewall blocks

Users reporting XXXX patterns in web pages

AppFirewall is also capable of transforming and sometimes, removing content in the responses when it finds them unsafe, or in the case of credit card numbers, confidential:

Users reporting XXXX patterns in web pages

When you see unexpected XXXX where it should be, check the profile settings to see if any credit card protections have been configured. This has the potential to sometimes trigger false positives since a lot of numbers can resemble credit card numbers. You will need to configure exceptions for these.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.0.42