I'm trying to find out if anyone else runs into the same issue I do.
Certain websites do not load for my customers due to the Application Defense inspection that occurs on the appliance. From my understanding the application defense checks for malformed headers. I spoke with support about it and there only resolution is to create a rule for the particular website in question and turn off application defense. You cant just turn it off completely because for most websites if it is off it messes with the content. Support indicated they do not have any lists of websites that need this rule created and so far the only way I can troubleshoot this issue is by remoting into my home computer and trying the URL on my home network, this obviously is not a proper way to be troubleshooting.
If anyone else experiences this issue could they shed some light on how they handle it? Is there any way to set up an alert so when the application defense blocks a particular website I can be notified? And if you do experience this issue what are some of the URLs that you have had problems with?
I have around 40,000 users and I'm sure not all of them report these issues to me.
Before creating special ACLs for these websites I'd first try and set the "Relax Protocol Enforcement" option accordingly (that resolved about 95% of the problems for me).
If you have an upstream proxy configured that might be another possible problem. Especially the combination of Smartfilter and Squid sometimes completely messes up things that worked before (disabling Squid solved that so I assume the problem is due to bugs in Squid).
Regarding websites: I've had these problems with quite a few websites (including popular ones like Facebook and Microsoft) but don't remember the exact URLs.
I can't believe support doesn't have a list but maybe they aren't using Sidewinders or have AppDefense turned off
I have smartfilter and relaxed enforcements off and upstream proxy enabled. This is not my core firewall, this firewall bascially takes any 80 and 443 traffic and re-directs it to the web gateway where all the content filtering is done before heads out to the internet.
You can see Application Defense violation audits with this filter:
$> acat -e "category appdef_violation"
If you have a certain rule you want to watch for app. defense violations on, you can add the rule_name into the filter:
$> acat -e "category appdef_violation and rule_name 'Internet Services'"
(you need single-quotes around a rule name if it has a space)
Here's the kicker: these filters are on a firewall by default; you can already use them to alert you if an app. defense violation happens.
- Go to Monitor -> IPS Attack Responses.
- Click 'New'. This launches the 'Attack Reponse Wizard,' which you can use to create a response (an alert) to an action (an audit message basically).
- Give it a name.
- Now you have choices for the type of 'Attack' (policy violation) you want to alert on.
- You have two choices for app. defenses: 'Application Defense Violation All' and Application 'Defense Violation Severe.'
You can see what these two Attack filters entail by running these commands:
$> cf audit q name='Application Defense Violation All'
audit add filter name='Application Defense Violation All' \
comments='Detects attacks of all severities that violate active policy defined by Application Defenses. This attack category includes mime and keyword filter failure attacks.' \
filter_type=attack number=0 sacap_filter=AUDIT_X_APPDEF_VIOLATION
$> cf audit q name='Application Defense Violation Severe'
audit add filter name='Application Defense Violation Severe' \
comments='Detects when severe attacks violate active policy defined by Application Defenses, including mime and keyword filter reject audits.' \
filter_type=attack number=0 sacap_filter=AUDIT_X_APPDEF_VIOLATION_SEVERE
You can see the 'sacap_filter' (audit filter) names there: AUDIT_X_APPDEF_VIOLATION and AUDIT_X_APPDEF_VIOLATION_SEVERE. The 'AUDIT_X' denotes that this is a pre-defined filter that combines various expressions in a 'canned' value (that's from the 'man sacap_filter' page).
To see what these 'canned' values represent, you run 'acat -c | less' and the search for 'X_APPDEF' (press /, then type X_APPDEF and hit Enter to search). This is what those values mean (the sacap_filter is below the name of the filter value):
(category AUDIT_C_APPDEF_VIOLATION) && (priority AUDIT_P_EMERGENCY || priority AUDIT_P_ALERT || priority AUDIT_P_CRIT || priority AUDIT_P_FATAL || priority AUDIT_P_MAJOR)
You can see that AUDIT_X_APPDEF_VIOLATION is the audit filter "category AUDIT_C_APPDEF_VIOLATION". If you look at 'acat -c' you'll see that "appdef_violation" is what's called a 'short message' for AUDIT_C_APPDEF_VIOLATION -- it's a shorthand way to use that filter. Our first audit filter at the top (acat -e "category appdef_violation") is the same as 'acat -e AUDIT_X_APPDEF_VIOLATION' then.
The filter AUDIT_X_APPDEF_VIOLATION_SEVERE is the same thing except it only gets the most severe audit 'priority' types (as evidenced by its name).
I just did a simple test where I turned on 'HTTP URL Control' and then turn off ALL the HTTP commands (so no HTTP commands were allowed through, like a GET). When the system blocked me the audit message had a priority of 'p_minor,' so the SEVERE audit filter would not have picked up that audit message (so don't use that filter for catching these messages).
If you want to create your own filter to only alert you if your 'Internet Services' rule is hit with an appdef_violation, you can do that in the GUI by going to Monitor -> Audit Viewing, right-click on 'Custom' and select 'New Filter' and type a filter in there (that is on versiion 7.0.1.02). Or you can run this command on the CLI:
$> cf audit add filter name='App Def Violation Internet Rule' filter_type=attack number=0 sacap_filter="category appdef_violation and rule_name 'Internet Services'"
(put the rule name in single-quotes if it has a space in it)
Once you create the filter, you can then select this filter in the 'Attack Reponse Wizard' and setup your 'response' to it (SNMP trap, email, blackhole). If your 'Internet Services' rule is hit and an application defense block happens, you can then be alerted to it.