This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF totally broken after 9.204-20 update

Hi Guys,

I installed 9.204-20 tonight but have major problems with it. None of my WAF sites respond and the live log for WAF logs nothing at all when I hit those sites. Its as if nothing is configured anymore. I see it start the service but then it logs nothing else.

I was able to revert to my reserve node still running 9.203-3 by shutting down the upgraded node (I have a HA set up). Does anyone know how to downgrade the upgraded node or have any ideas on fixing WAF?

This thread was automatically locked due to age.

0 William Warren over 9 years ago

Hi Guys,

I installed 9.204-20 tonight but have major problems with it.  None of my WAF sites respond and the live log for WAF logs nothing at all when I hit those sites.  Its as if nothing is configured anymore.  I see it start the service but then it logs nothing else.

I was able to revert to my reserve node still running 9.203-3 by shutting down the upgraded node (I have a HA set up).  Does anyone know how to downgrade the upgraded node or have any ideas on fixing WAF?

reload from the previous version iso.  Start a ticket with support first though..let them get a look at things.

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel
0 NewImage over 9 years ago

I had a problem with my Websites too, they were no longer working in 9.203

I fixed it by
Webserver Protection -> Web Application Firewall -> Virtual Webserver -> Select the webserver

Then under advanced select Rewrite HTML, and cookies. That fixed it.
Cancel
Vote Up 0 Vote Down

Cancel
0 thedukeness over 9 years ago in reply to William Warren

Got it, I guess I'll have to reimage it. I would contact support but I only have the standard support contract which doesn't include anything but software updates. Actually I usually wait quite a while before updating but this one time I did it early because I experience the smtp call out ldap problem.

NewImage, I think my issue is probably different because I don't get any response at all from a curl against my websites.
Cancel
Vote Up 0 Vote Down

Cancel
0 Scott_Klassen over 9 years ago

Maybe applicable, new kb article: Workaround: WAF is not working correctly because of Common Threats Filter

Worth a shot.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 thedukeness over 9 years ago in reply to Scott_Klassen

Thanks Scott, that was indeed the fix
Cancel
Vote Up 0 Vote Down

Cancel
0 thedukeness over 9 years ago

Spoke too soon. I still have issues with 9.204. I took some web servers down for maintenance and WAF never offlined them. So the connection to the virtual server was constantly flapping. I tried the restart from the KB and now I get this error:

colo:/home/login # /var/mdw/scripts/reverseproxy restart
:: Restarting reverseproxy
AH00112: Warning: DocumentRoot [/var/www/REF_RevFroLive1Https] does not exist
Cancel
Vote Up 0 Vote Down

Cancel
0 thedukeness over 9 years ago

And I can't downgrade... I download ssi-9.201-25.1.iso but when I run the installer on my 220 it says UTM hardware not found.
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 9 years ago

And I can't downgrade... I download ssi-9.201-25.1.iso but when I run the installer on my 220 it says UTM hardware not found.

Hi, the SSI image is only for hardware appliances... if you don't have an appliance you would use the 'software' version.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 thedukeness over 9 years ago in reply to BarryG

I do have two UTM 220s, forgot to mention.
Cancel
Vote Up 0 Vote Down

Cancel
0 traxxus_01 over 9 years ago

I have also problems with WAF since latest patch.

I got the following error:
2014:07:26-20:49:57 fw reverseproxy: [Sat Jul 26 20:49:57.000984 2014] [security2:notice] [pid 17425:tid 4147631808] ModSecurity for Apache/2.7.4 (ModSecurity: Open Source Web Application Firewall) configured.
2014:07:26-20:49:57 fw reverseproxy: [Sat Jul 26 20:49:57.001079 2014] [security2:notice] [pid 17425:tid 4147631808] ModSecurity: APR compiled version="1.4.6"; loaded version="1.4.6"
2014:07:26-20:49:57 fw reverseproxy: [Sat Jul 26 20:49:57.001083 2014] [security2:notice] [pid 17425:tid 4147631808] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
2014:07:26-20:49:57 fw reverseproxy: [Sat Jul 26 20:49:57.001084 2014] [security2:notice] [pid 17425:tid 4147631808] ModSecurity: LIBXML compiled version="2.7.6"
2014:07:26-20:49:57 fw reverseproxy: [Sat Jul 26 20:49:57.021176 2014] [proxy_balancer:emerg] [pid 17429:tid 4147631808] (22)Invalid argument: AH01179: balancer slotmem_create failed
2014:07:26-20:49:57 fw reverseproxy: [Sat Jul 26 20:49:57.021189 2014] [:emerg] [pid 17429:tid 4147631808] AH00020: Configuration Failed, exiting

I have alread deleted everything in WAF und recreated, but the same error remains.

Solved:
Rebooted firewall and apply the workaround
Cancel
Vote Up 0 Vote Down

Cancel