Ease of troubleshooting with Web Application Firewall logs

When there is a security attack, it is important to capture detailed WAF logging on the appliance. For this, you can configure the “VerboseLogLevel” parameter on an Application Firewall profile.

Consider a web traffic having a security attack. When the appliance receives the traffic, violation details such as HTTP header details, log pattern, and pattern payload information are logged and sent to the ADM server. The ADM server monitors the detailed logs and displays it on the Security Insight page for monitoring and tracking purpose.

Configuring verbose log level by using the command interface

To capture detailed WAF logs, configure the following command. At the command interface, type:

set appfw profile <profile_name> -VerboseLogLevel (pattern|patternPayload|patternPayloadHeader)

Example

set appfw profile profile1 –VerboseLogLevel patternPayloadHeader

The available log levels are:

  1. Pattern. Logs only violation pattern.
  2. Pattern payload. Logs violation pattern and 150 bytes of extra field element payload.
  3. Pattern payload header. Logs violation patter, 150 bytes of extra field element payload and HTTP header information.

Configuring verbose log level by using the Citrix ADC GUI

Follow the procedure below to configure the verbose log level in the WAF profile.

  1. On the navigation pane, navigate to Security > Profiles.
  2. In the Profiles page, click Add.
  3. In the Citrix Web App Firewall Profile page, click Profile Settings under Advanced Settings.
  4. In the Profile Settings section, select the detailed WAF log level in the Verbose Log Level field.
  5. Click OK and Done.

    Verbose log level configuration