We are running a UTM220 and protecting a single web server which runs customer and sales portals as well as our company website. Everything is written ASP.NET. Firmware version is 9.204-20. I'm aware of the WAF issue in this release and am following the workaround (disable XSS Attacks, turn on the WAF, then re-enable XXS Attacks).
When anyone access our portals (which are highly interactive) the performance is degraded quite a bit. I have looked at the live log and can see that a ton of warnings and errors are being generated. The sites function properly and all the interactive features are working, but I am concerned about the performance hit and the fact that the WAF thinks these are genuine attacks.
I am currently only skipping a single rule (981176), but I would have to add 14 or 15 more rules to stop all the false positives. Is this normal? Would bypassing these additional rules improve the performance? Any other suggestions for dealing with this excessive logging and the associated performance hit? I am attaching a snippet of my live log that was filtered to my IP and I only visited 3 pages.
Thanks for any help!
Dave
This thread was automatically locked due to age.
