AppFirewall is powerful, but not necessarily plug and play as we discussed. Issues with AppFirewall arise in the form of applications failing when the feature is turned on.
It is important to know how to tell if the application is failing because AppFirewall is blocking it. There are several ways to identify if this is the case:
- Under the Profile settings, you can configure an error object that can be useful when a User calls in to the helpdesk with an application access issue caused by AppFirewall blocking the request:
You can configure this text under Application Firewall | Profile | Profile Settings.
- If you are looking at a trace taken on NetScaler or on the User's PC where a HTTP request is being reset, look for the window code. In the following screenshot, that window code is
9845:
9845means the reset has been sent because an AppFirewall protection policy has been triggered. - If you have set up your profile for troubleshooting that is, with the log option enabled for the protections that have been set to block, you should see a log entry every time a request is blocked. This entry is worth gold since it gives you a lot of important detail. Look at the following screenshot for an example:
AppFirewall log entry displaying a number of useful details
In the preceding screenshot, we have date and time in the local time zone, NSIP, which is useful if you are trying to parse logs based on NSIP, AppFirewall protection that is triggering the block, Client IP, AppFirewall profile hit that was triggered, URL, and keyword that triggered the block.
- You can also use
nsconmsgandgrepfor the counteras_err. It will help you identify what AppFirewall violations are seen as well as the rate. The command:nsconmsg –g as_err –d current:
- The
stat AppFirewallcommand will help you get a quick overview of what violations AppFirewall is seeing when enabled. This allows you to build a threat profile for your environment.
AppFirewall is also capable of transforming and sometimes, removing content in the responses when it finds them unsafe, or in the case of credit card numbers, confidential:
When you see unexpected XXXX where it should be, check the profile settings to see if any credit card protections have been configured. This has the potential to sometimes trigger false positives since a lot of numbers can resemble credit card numbers. You will need to configure exceptions for these.