Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 4262 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF anormaly

Service Informatique2

Hello everyone.

I have enabled a WAF protection policy on my website.

And now I have some WAF anomaly.

Problem is I can't find the reason of the anomaly.

Here is the log that I have in the log viewer :

2022-06-18 12:00:41Web server protectionmessageid="17071" log_type="WAF" log_component="Web Application Firewall" user="-" server="xxxxxxxx.xx" src_ip="XX.XX.XX.XX" local_ip="XX.XX.XX.XX" protocol="HTTP/1.1" url="/Account/Login" query_string="" cookie=".AspNetCore.Antiforgery.5C72YkdQ8=CfDJ8H6OqtRk5mFNgR29thUJp93cVi1QP3HZq3pGUzYVcpGakMlIQ; HASH_.AspNetCore.Antiforgery.C72YkdQ8=33980a352d756b691cb3465e67119; expires=Thu, 01 Jan 1970 00:00:00 GMT" referer="">https://xxxxxxxxxxxx.xx/xxx" method="POST" response_code="403" reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 5)" content_type="text/html" user_agent="Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36" response_time="7297" bytes_sent="582" bytes_received="3680" fw_rule_id="26"

How can I determine the origin of the issue ?

King regards



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Service Informatique2

    Hi  Service Informatique2 ,

    Please check the below steps and share the output : 

    • Check that the WAF is running: # service WAF:status -ds nosync
    • Do a manual restart of WAF: # service WAF:restart -ds nosync
    • Record the error messages in the logs if reverseproxy cannot start.
    • Check if the network socket is created for the WAF (netstat natup | grep httpd).
    • Verify that no other service is running on Port 80 or 443 in the UTM.
    • Check if the WAF is running correctly on Port 80: # netstat natup |grep :80
    • Check that the service is running: # service WAF:status -ds nosync
    • Start/Restart/Stop: # service WAF:<start/restart/stop> -ds nosync
    • View Live Log: # tail –f /log/reverseproxy.log

    Thanks and regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to Bharat J

    Hello, thanks for your support.

    WAF is running well.

    I can't restart WAF because we are in a production environnement and so I can't have any downtine.

    Waf is running correctly on Port 80

    And I have many many logs in reverseproxy.log

    I've downloaded a copy of reverseproxy.log to see if I have more information about the false positive Waf anomaly.

Unfiltered HTML