Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 41 subscribers
  • Views 4989 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF not starting after reboot due to config error

EdmundSackbauer

I am on 18.5 MR2 Build 380.

Every time I reboot the firewall, the WAF is not starting. In reversproxy.log these same lines appear every couple of seconds:

[Fri Jan 28 16:02:27.194845 2022] [core:warn] [pid 17313:tid 139992993545088] AH00111: Config variable ${URLHardening_HTTP_Hostname} is not defined
AH00112: Warning: DocumentRoot [/sdisk/waffiles/d4ccc5ed9becf385efd9ba9b1f2091e7] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/44502cdd091cd7e7fc982c40b77d04a8] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/8e2dcfd7e7e24b1ca76c1193f645902b] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/21b72c0b7adc5c7b4a50ffcb90d92dd6] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/9a3c5f2e7b4cac8047ff8b0eda2fd680] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/a511102ede5324bb4b637310963a9414] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/43d400c215702e62cdcbb687a0e6b755] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/bdda8e6a9dcfc3221e683593e494f550] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/eaf6d735fd2e60ca3d293a82fb0e1adf] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/e91c73fb45b136ce1d8dec3c500d3ad0] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/a17b4e9c956a70522b3807c4b4b11eb7] does not exist
AH00112: Warning: DocumentRoot [/sdisk/waffiles/5b5a35f45f655ad8da684f4c2b69bd4d] does not exist
AH00526: Syntax error on line 990 of /cfs/waf/reverseproxy.conf:
Invalid encrypted key

The line number hints at a WAF rule, and my workaround to get it working is to change the advanced setting the Protection Policy to "none".
I have 5 rules out of 18 where I need to do this, WAF won't start properly until those 5 rules are changed to protection policy "none".

WAF is then automatically starting properly and serving web pages.

And now the strange thing: Once I apply on those 5 rules the original protection policies again, it keeps working. But only until the next reboot.

The same happens if I restore a backup. I have to undergo the same process.

Where can I look further for investigating? The rules or the policies affected are very different, I can't figure out a common denominator.



This thread was automatically locked due to age.
Unfiltered HTML