- PCRE Character Encoding Format
- Whitehat WASC Signature Types for WAF Use
- Streaming Support for Request Processing
- Trace HTML Requests with Security Logs
- Application Firewall Support for Cluster Configurations
Troubleshooting a problem, which requires analysis of data received in the client request can be quite challenging specially when there is heavy traffic flowing through the box. Diagnosing issues which may affect the functionality or security of the application require a quick response.
The NetScaler now offers the option to isolate traffic for a specific application firewall profile and collect nstrace for the HTML requests that trigger a log or block action or malformed requests that might be causing reset or aborts. The nstrace collected in –appfw mode will include details of the entire request including the application firewall generated log messages. You can use “Follow TCP stream” in the trace to view the details of the individual transaction including headers, payload, as well as the corresponding log message, together in the same screen.
This gives you a comprehensive overview regarding your traffic. Having a detailed view of the request, payload, and associated log records can be very useful to analyze security check violation. You can easily identify the pattern that is triggering the violation. If the pattern should be allowed, you can take a decision to modify the configuration and/or add a relaxation rule.
Please see any task topic in eDocs for documenting tasks. http://support.citrix.com/proddocs/topic/ns-security-10-5-map/appfw-config-manual-cli-tsk.html
To configure debug tracing for a profile by using the command line interface
Location of the trace: The nstrace is stored in a time-stamped folder which is created in the /var/nstrace directory and can be viewed using wireshark. You can tail the /var/log/ns.log to see the log messages providing details regarding the location of the new trace.
"start nstrace -tcpdump enabled -size 0 -mode appFW"
Example of a Log record in the trace: