Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 0 replies
  • Subscribers 2 subscribers
  • Views 3303 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New bug in WAF in UTM 9.506??

twister5800

We have a lot af UTMs running with WAF, and all of a sudden, after upgrading to 9.506, i have seen this happen several times now, only solution is to to restart the UTM:

 

Users are seeing this:

WAF is functioning properly, and all of a sudden in the live log, this shows up (reverseproxy.log):

2018:02:05-07:44:33 fw01 httpd[5522]: Syntax OK
2018:02:05-07:44:35 fw01 httpd[5694]: [proxy_protocol:notice] [pid 5694:tid 4147713728] ProxyProtocol: disabled on 127.0.0.1:4080
2018:02:05-07:44:35 fw01 httpd[5694]: [security2:notice] [pid 5694:tid 4147713728] ModSecurity for Apache/2.7.4 (http://www.modsecurity.org/) configured.
2018:02:05-07:44:36 fw01 httpd[5815]: [proxy_protocol:notice] [pid 5815:tid 4147713728] ProxyProtocol: disabled on 127.0.0.1:4080
2018:02:05-07:44:36 fw01 httpd[5815]: [mpm_worker:notice] [pid 5815:tid 4147713728] AH00292: Apache/2.4.10 (Unix) OpenSSL/1.0.2j-fips configured -- resuming normal operations
2018:02:05-07:44:36 fw01 httpd[5815]: [core:notice] [pid 5815:tid 4147713728] AH00094: Command line: '/usr/apache/bin/httpd'
2018:02:05-07:44:36 fw01 httpd[6033]: Started
2018:02:05-07:44:56 fw01 httpd[7402]: Restarting gracefully
2018:02:05-07:44:57 fw01 httpd[7410]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroB2bsikades] does not exist
2018:02:05-07:44:57 fw01 httpd[7410]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroOwacanelin] does not exist
2018:02:05-07:44:57 fw01 httpd[7410]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWeb02hhtdo] does not exist
2018:02:05-07:44:57 fw01 httpd[7410]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroRdsgwcanel] does not exist
2018:02:05-07:44:57 fw01 httpd[7410]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroB2bcanelin] does not exist
2018:02:05-07:44:57 fw01 httpd[7410]: Syntax OK
2018:02:05-07:44:58 fw01 httpd[7754]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroB2bsikades] does not exist
2018:02:05-07:44:58 fw01 httpd[7754]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroOwacanelin] does not exist
2018:02:05-07:44:59 fw01 httpd[7754]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWeb02hhtdo] does not exist
2018:02:05-07:44:59 fw01 httpd[7754]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroRdsgwcanel] does not exist
2018:02:05-07:44:59 fw01 httpd[7754]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroB2bcanelin] does not exist
2018:02:05-07:44:59 fw01 httpd[5815]: [mpm_worker:notice] [pid 5815:tid 4147713728] AH00297: SIGUSR1 received. Doing graceful restart
2018:02:05-07:45:00 fw01 httpd[5815]: [proxy_protocol:notice] [pid 5815:tid 4147713728] ProxyProtocol: disabled on 127.0.0.1:4080
2018:02:05-07:45:00 fw01 httpd[5815]: [mpm_worker:notice] [pid 5815:tid 4147713728] AH00292: Apache/2.4.10 (Unix) OpenSSL/1.0.2j-fips configured -- resuming normal operations
2018:02:05-07:45:00 fw01 httpd[5815]: [core:notice] [pid 5815:tid 4147713728] AH00094: Command line: '/usr/apache/bin/httpd'
2018:02:05-07:45:00 fw01 httpd[5815]: [mpm_worker:warn] [pid 5815:tid 4147713728] AH00291: long lost child came home! (pid 5817)
2018:02:05-07:45:00 fw01 httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="4673" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1375" url="/status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="Wnf9bKwQZAEAAB6ZtEsAAABt"
2018:02:05-07:45:00 fw01 httpd[7891]: Restarted
2018:02:05-07:45:12 fw01 httpd[8217]: [avscan:error] [pid 8217:tid 4029184880] (111)Connection refused: [client X.X.X.X:7244] cannot connect to cssd
2018:02:05-07:45:12 fw01 httpd[8217]: [avscan:error] [pid 8217:tid 4029184880] [client X.X.X.X:7244] [8217] virus daemon connection problem found in request /Microsoft-Server-ActiveSync
2018:02:05-07:45:12 fw01 httpd[8217]: [avscan:notice] [pid 8217:tid 4029184880] [client X.X.X.X:7244] mod_avscan_input_filter: virus found or MIME type blocked
2018:02:05-07:45:12 fw01 httpd[8217]: [proxy_http:error] [pid 8217:tid 4029184880] (13)Permission denied: [client X.X.X.X:7244] AH01095: prefetch request body failed to X.X.X.X:443 (X.X.X.X) from X.X.X.X ()
2018:02:05-07:45:12 fw01 httpd: id="0299" srcip="X.X.X.X" localip="X.X.X.X" size="341" user="-" host="X.X.X.X" method="POST" statuscode="400" reason="av" extra="virus daemon connection problem found" exceptions="-" time="3975" url="/Microsoft-Server-ActiveSync" server="owa.domain.com" port="443" query="?User=jaa&DeviceId=JE0B206F9H1CD3VF793EMUBJLG&DeviceType=iPhone&Cmd=Ping" referer="-" cookie="X-BackEndCookie=S-1-5-21-1878019524-993544238-3888453730-4208=u56Lnp2ejJqBmcjKxp3Nx8jSyczMztLLyM3J0p6dy8nSmc7JmpubmsabzsfLgYHNz87H0s/M0s/Iq8/JxcvOxc/P; ClientId=VOLSJKTV0BYJFMBYQW" set-cookie="-" uid="Wnf9eKwQZAEAACAZX5UAAAAM"
2018:02:05-07:45:20 fw01 httpd[8217]: [avscan:error] [pid 8217:tid 4012399472] (111)Connection refused: [client X.X.X.X:49002] cannot connect to cssd, referer: b2b.domain.com/.../
2018:02:05-07:45:20 fw01 httpd[8217]: [avscan:error] [pid 8217:tid 4012399472] [client X.X.X.X:49002] [8217] virus daemon connection problem found in request /systempages/infoscreen/, referer: b2b.domain.com/.../
2018:02:05-07:45:20 fw01 httpd: id="0299" srcip="X.X.X.X" localip="X.X.X.X" size="209" user="-" host="X.X.X.X" method="GET" statuscode="403" reason="av" extra="virus daemon connection problem found" exceptions="-" time="3633271" url="/systempages/infoscreen/" server="b2b.domain.com" port="80" query="?hash=sumaWanEsPace@8zU64epRuy7pha5a3t&company=SIK" referer="b2b.domain.com/.../ cookie="ses=c85d2c8dc3d64c82ba4a87ec37a6ec29; sec=Xa5t6WYr2f3MAn8p7L9SkNb47; stats=lastvisitdt=636523766348646375&hits=1&ucgid=fc622ebd84af4a058254786e4dd367a4" set-cookie="-" uid="Wnf9fawQZAEAACAZX5YAAAAO"
2018:02:05-07:45:26 fw01 httpd[8217]: [avscan:error] [pid 8217:tid 3995614064] (111)Connection refused: [client X.X.X.X:28744] cannot connect to cssd
2018:02:05-07:45:26 fw01 httpd[8217]: [avscan:error] [pid 8217:tid 3995614064] [client X.X.X.X:28744] [8217] virus daemon connection problem found in request /Microsoft-Server-ActiveSync
2018:02:05-07:45:26 fw01 httpd[8217]: [avscan:notice] [pid 8217:tid 3995614064] [client X.X.X.X:28744] mod_avscan_input_filter: virus found or MIME type blocked
2018:02:05-07:45:26 fw01 httpd[8217]: [proxy_http:error] [pid 8217:tid 3995614064] (13)Permission denied: [client X.X.X.X:28744] AH01095: prefetch request body failed to X.X.X.X:443 (X.X.X.X) from X.X.X.X ()
2018:02:05-07:45:26 fw01 httpd: id="0299" srcip="X.X.X.X" localip="93.184.197.28" size="341" user="-" host="X.X.X.X" method="POST" statuscode="400" reason="av" extra="virus daemon connection problem found" exceptions="-" time="1203" url="/Microsoft-Server-ActiveSync" server="owa.domain.com" port="443" query="?User=psl&DeviceId=L323TRJ5SD7498FSQ076EJJLAO&DeviceType=iPhone&Cmd=Sync" referer="-" cookie="X-BackEndCookie=S-1-5-21-1878019524-993544238-3888453730-3157=u56Lnp2ejJqBmcjKxp3Nx8jSyczMztLLyM3J0p6dy8nSmc7JmpubmsabzsfLgYHNz87H0s/M0s/Iq8/Jxc/NxcrH; ClientId=DLGWMTUEUOOACAF9LW" set-cookie="-" uid="Wnf9hqwQZAEAACAZX5cAAAAQ"
2018:02:05-07:45:26 fw01 httpd[8217]: [avscan:error] [pid 8217:tid 3978828656] (111)Connection refused: [client X.X.X.X:3433] cannot connect to cssd
2018:02:05-07:45:26 fw01 httpd[8217]: [avscan:error] [pid 8217:tid 3978828656] [client X.X.X.X:3433] [8217] virus daemon connection problem found in request /Microsoft-Server-ActiveSync
2018:02:05-07:45:26 fw01 httpd[8217]: [avscan:notice] [pid 8217:tid 3978828656] [client X.X.X.X:3433] mod_avscan_input_filter: virus found or MIME type blocked
2018:02:05-07:45:26 fw01 httpd[8217]: [proxy_http:error] [pid 8217:tid 3978828656] (13)Permission denied: [client X.X.X.X:3433] AH01095: prefetch request body failed to X.X.X.X:443 (X.X.X.X) from X.X.X.X ()

 

Fallback log:

2018:02:05-03:40:16 fw01 [daemon:info] cssd[8507]:  [0xf49586a8] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [B91EEE8A-2FE1-4513-9C4D-E07B76493BD6@unggulgroup.com] : creating new id
2018:02:05-03:40:16 fw01 [daemon:info] cssd[8507]:  [0xf36db5d8] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [B91EEE8A-2FE1-4513-9C4D-E07B76493BD6@unggulgroup.com] : creating new id
2018:02:05-03:40:16 fw01 [daemon:info] cssd[8507]:  [0xf49586a8] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [B91EEE8A-2FE1-4513-9C4D-E07B76493BD6@unggulgroup.com] : creating new id
2018:02:05-03:40:16 fw01 [daemon:info] cssd[8507]:  [0xf49586a8] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [B91EEE8A-2FE1-4513-9C4D-E07B76493BD6@unggulgroup.com] : creating new id
2018:02:05-03:40:16 fw01 [daemon:info] cssd[8507]:  [0xf36db5d8] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [B91EEE8A-2FE1-4513-9C4D-E07B76493BD6@unggulgroup.com] : creating new id
2018:02:05-03:40:16 fw01 [daemon:info] cssd[8507]:  [0xf36db5d8] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [B91EEE8A-2FE1-4513-9C4D-E07B76493BD6@unggulgroup.com] : creating new id
2018:02:05-03:40:16 fw01 [daemon:info] cssd[8507]:  [0xf36db5d8] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [B91EEE8A-2FE1-4513-9C4D-E07B76493BD6@unggulgroup.com] : creating new id
2018:02:05-03:40:16 fw01 [daemon:info] cssd[8507]:  [0xf36db548] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [B91EEE8A-2FE1-4513-9C4D-E07B76493BD6@unggulgroup.com] : creating new id
2018:02:05-03:40:16 fw01 [daemon:info] cssd[8507]:  [0xf36db548] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [B91EEE8A-2FE1-4513-9C4D-E07B76493BD6@unggulgroup.com] : creating new id
2018:02:05-03:40:16 fw01 [daemon:info] cssd[8507]:  [0xf36db548] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [B91EEE8A-2FE1-4513-9C4D-E07B76493BD6@unggulgroup.com] : creating new id
2018:02:05-03:40:16 fw01 [daemon:info] cssd[8507]:  [0xf36db548] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [B91EEE8A-2FE1-4513-9C4D-E07B76493BD6@unggulgroup.com] : creating new id
2018:02:05-03:40:16 fw01 [daemon:info] cssd[8507]:  [0xf4958028] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [B91EEE8A-2FE1-4513-9C4D-E07B76493BD6@unggulgroup.com] : creating new id
2018:02:05-03:40:16 fw01 [daemon:info] cssd[8507]:  [0xf36db548] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [B91EEE8A-2FE1-4513-9C4D-E07B76493BD6@unggulgroup.com] : creating new id
2018:02:05-03:42:22 fw01 [daemon:info] dhcp_updown[24610]:  eth3 - reason:RENEW
2018:02:05-03:42:22 fw01 [daemon:info] dhcp_updown[24610]:  dhcp_updown: No IPv4 address change, exiting
2018:02:05-03:46:03 fw01 [daemon:info] cssd[8507]:  [0xf36db548] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [5D053F45-93E5-4F46-AD1A-F033C40839E2@unggulgroup.com] : creating new id
2018:02:05-03:46:03 fw01 [daemon:info] cssd[8507]:  [0xf4958028] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [5D053F45-93E5-4F46-AD1A-F033C40839E2@unggulgroup.com] : creating new id
2018:02:05-03:50:51 fw01 [daemon:info] cssd[8507]:  [0xf36db5d8] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [E28A1BFF-B233-4282-9BFB-FEF047124FE8@unggulgroup.com] : creating new id
2018:02:05-03:52:48 fw01 [daemon:info] nwd[4786]:  Waiting for MDW cycle to end
2018:02:05-04:01:53 fw01 [daemon:info] nwd[4786]:  Waiting for MDW cycle to end
2018:02:05-04:08:26 fw01 [daemon:info] cssd[8507]:  [0xf4958cc0] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:08:26 fw01 [daemon:info] cssd[8507]:  [0xf495bbf8] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:08:26 fw01 [daemon:info] cssd[8507]:  [0xf495bbf8] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:08:26 fw01 [daemon:info] cssd[8507]:  [0xf495bbf8] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:08:26 fw01 [daemon:info] cssd[8507]:  [0xf495bbf8] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:08:26 fw01 [daemon:info] cssd[8507]:  [0xf495bbf8] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:08:26 fw01 [daemon:info] cssd[8507]:  [0xf36db548] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:08:26 fw01 [daemon:info] cssd[8507]:  [0xf36db548] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:08:26 fw01 [daemon:info] cssd[8507]:  [0xf495bbf8] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:08:26 fw01 [daemon:info] cssd[8507]:  [0xf36db548] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:08:26 fw01 [daemon:info] cssd[8507]:  [0xf36db548] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:08:26 fw01 [daemon:info] cssd[8507]:  [0xf495bbf8] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:08:26 fw01 [daemon:info] cssd[8507]:  [0xf49586a8] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:08:26 fw01 [daemon:info] cssd[8507]:  [0xf36db548] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:08:26 fw01 [daemon:info] cssd[8507]:  [0xf49586a8] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:08:26 fw01 [daemon:info] cssd[8507]:  [0xf36db548] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:08:26 fw01 [daemon:info] cssd[8507]:  [0xf36db548] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:08:26 fw01 [daemon:info] cssd[8507]:  [0xf36db548] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:10:45 fw01 [daemon:info] cssd[8507]:  [0xf496fc70] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:10:45 fw01 [daemon:info] cssd[8507]:  [0xf496fc70] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:10:45 fw01 [daemon:info] cssd[8507]:  [0xf496fc70] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:10:45 fw01 [daemon:info] cssd[8507]:  [0xf496fc70] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:10:45 fw01 [daemon:info] cssd[8507]:  [0xf496fc70] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:10:45 fw01 [daemon:info] cssd[8507]:  [0xf496fc70] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:10:45 fw01 [daemon:info] cssd[8507]:  [0xf36db548] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:10:45 fw01 [daemon:info] cssd[8507]:  [0xf36db548] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:10:45 fw01 [daemon:info] cssd[8507]:  [0xf496bb60] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:10:45 fw01 [daemon:info] cssd[8507]:  [0xf496bb60] scan_part (saviscanner.c:462) Failed to create temp file : err'File exists' , message id [000001d39e2e$8f202890$ad6079b0$@com] : creating new id
2018:02:05-04:10:45 fw01 [daemon:info] cssd[8507]:  [0xf36db548] scan_part (saviscanner.c:462) Failed to create temp 

Anyone seen this?




This thread was automatically locked due to age.
Unfiltered HTML