This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Webserver Protection log for Protocol Enforcement

I have a website behind a webserver protection a virtual XG 18.5.1-326

One page on the website creates an error that leads to a blocking of the next page.

The only way to unblock it is by creating an exception for the relevant path for the "Protocol enforcement"

My problem is, that the finding of the solution was a try-and-error procedure.

The reverseproxy.log does not show any entry for this error.

Are there other log files for the different rules in "Protection plocies" that can sho me where the error really lies?



This thread was automatically locked due to age.
  • Hello!

    Protocol Enforcement's errors message does show at reverseproxy.log, here's an example on how It looks like:

    [Mon Oct 18 10:09:58.504231 2021] [security2:error] [pid 25571:tid 139721485133568] [client 10.0.0.10:57216] [client 10.0.0.10] ModSecurity: Warning. Pattern match "%[0-9a-fA-F]{2}" at ARGS
    :cursor. [file "/usr/apache/conf/waf/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1142"] [id "920230"] [msg "Multiple URL Encoding Detected"] [data "###"] [severity "WARNING"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [
    tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] [tag "paranoia-level/2"] [hostname "###"
    ] [uri "###"] [unique_id "YW1yJn@TM9NGFzguUaR2ygAAAGM"]

    What filter strength are you applying on the protection policies?

    Level 2 and Level 3 have the same (all-around) protection, the difference on both of them is how protocol enforcement is applied. If you're using a Level 3 filter strength consider to lowering it to Level 2 before creating exemptions.


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • We have Level 2
    I have found the errors. Due to a special configuration of the customer's system the "Client" IP address in the Log is different from the real IP address of the person opening the website. 
    That's why I was not able to find the errors.

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner