AppFirewall is powerful, but not necessarily plug and play as we discussed. Issues with AppFirewall arise in the form of applications failing when the feature is turned on.
It is important to know how to tell if the application is failing because AppFirewall is blocking it. There are several ways to identify if this is the case:
You can configure this text under Application Firewall | Profile | Profile Settings.
9845
:
9845
means the reset has been sent because an AppFirewall protection policy has been triggered.
In the preceding screenshot, we have date and time in the local time zone, NSIP, which is useful if you are trying to parse logs based on NSIP, AppFirewall protection that is triggering the block, Client IP, AppFirewall profile hit that was triggered, URL, and keyword that triggered the block.
nsconmsg
and grep
for the counter as_err
. It will help you identify what AppFirewall violations are seen as well as the rate. The command: nsconmsg –g as_err –d current
:stat AppFirewall
command will help you get a quick overview of what violations AppFirewall is seeing when enabled. This allows you to build a threat profile for your environment.AppFirewall is also capable of transforming and sometimes, removing content in the responses when it finds them unsafe, or in the case of credit card numbers, confidential:
When you see unexpected XXXX
where it should be, check the profile settings to see if any credit card protections have been configured. This has the potential to sometimes trigger false positives since a lot of numbers can resemble credit card numbers. You will need to configure exceptions for these.
3.139.81.143