Topic: Learning Mode is intrusive? (Read 5787 times)

evildani · « **on:** January 04, 2008, 05:25:15 AM »

Hi,

One of our customers reported that the learning mode of the application firewall is intrusive on some unknown way, since some of his applications are failing since we introduced the learning mode of the application firewall, I am setting a lab for that, and will post my results in the next week.

I post this in case someone knows anything.

evildani · « **Reply #1 on:** January 09, 2008, 05:15:16 AM »

Update:
The appfw is blocking a hidden field that is calculated by the web application, using a combination of methods, it uses javascript to calculate the value of the number field, the it is storedsolu temporarily in the DB, then it is printed in a hidden field in the last phase of the web form. In that last phase the hidden value has value of <blank> and it should be a number. We dont know how the learning mode of the appfw is blocking the hidden field.

Any ideas out there?

evildani · « **Reply #2 on:** March 10, 2008, 10:48:41 AM »

Hey,

I have found, yet again (in another proyect), that the learning mode is intrusive.

When I enable AppFW in the netscaler 8 the postbody function of the edgesight configuration stops working, and the client rendering of the html adds the following.

script language='javascript1.1' type="text/javascript"> g_csma_PageEndData='&reqrte=00000000003837117215&reqste=00000000003837117215&resrte=00000000003837515764&resste=00000000003837515764'; </script>0
So I have detected two things so far, first that the opentag of the script is missing, and a 0 is been added to the page. No clues as to why, but it can be solved using a basic profile. But for very complex sites with a very large number of internal applications it is not a good solution.
I will keep you posted as I come up with a solution.

evildani · « **Reply #3 on:** March 14, 2008, 07:31:41 AM »

We are shure now that application firewall and edgesight for netscaler are not compatible 100%. We opened a support case last night March 13 to addess the issue, I will post the replay.

River Styx · « **Reply #4 on:** March 14, 2008, 11:47:07 AM »

Learning should have no effect on the application. Learning is just that; it records any request that is blocked by any security inspection. It does not modify how the application works in any way.

More important is what profile you used and what inspections are enabled. For example, in the case above, Form Consistency Checking (FCC) will not allow a hidden field to be changed or created client side. If that is expected behavior, you can create a relaxation that tells FCC not to check that hidden field.

RS

evildani · « **Reply #5 on:** March 15, 2008, 10:30:53 AM »

RS I totally agree with you, but somehow somewhere in this universe appfw and edgesight are having trouble with each other. The backend server is a Oracle 10g Portal.
If someone tells me how to upload files I will upload a couple of pics and some html code to show how much is the damege being done by having both features enabled at the same time.

evildani · « **Reply #6 on:** March 17, 2008, 09:51:57 AM »

With citrix support we have narrow it down to appfw. Edgesight has nothing to do with the problem.

We have detected two problems. The appfw adds some hidden fields in order to check the consistency of the fields in the form and the second is the canonical-something ont eh URL, for example you have:
www.hello.com/index.html?id=343&part=5&result=null
after the canonical-something it turns like this:
www.hello.com/index.html?id=343&part=5&result=null
So the URL is damaged.
We tryed to issue the comand "nsapimgr BLA BLA BLA" but that reseted the ns, so now we have 3 problems...

I will post more stuff as it comes to me.

evildani · « **Reply #7 on:** March 17, 2008, 03:13:08 PM »

The reset issue is solved, you have to issue it on the secondary node first, and then on the primary node.
After that the & issue was solved to, but now form field consistency check messes the page up.

TheOracle · « **Reply #8 on:** March 21, 2008, 06:32:18 PM »

One issue was found: If you have ES4NS and AppFW active on the same page, and the response is chunked from the server, it can cause problems. If you use the following, you will prevent this particular issue:

# downgrades HTTP to 1.0 to prevent chunking
add rewrite action downgrade_1.0 replace http.req.version "\"HTTP/1.0\""
add rewrite policy to_1.0 true downgrade_1.0
bind lb vserver <vserver> -policyName to_1.0 -priority 20 -gotoPriorityExpression NEXT -type REQUEST

The Oracle

evildani · « **Reply #9 on:** March 26, 2008, 03:56:29 PM »

The "solution" did not work...

evildani · « **Reply #10 on:** March 26, 2008, 10:04:55 PM »

Sorry it did work, I will explain the bug we encauntered tomorrow

evildani · « **Reply #11 on:** March 27, 2008, 07:22:16 AM »

The main problem is seen when the http transfer between the server and the netscaler is using "content-tranfer: chunked".
Chunked transfer is used when the server or the appliance will not know the final length of the content, so he can not transfer it in a determined number of packets, so he uses chunked where he divedes the content in chunks of varius sizes and he sends the size along with the chunk so the other party can reconstruct the content.

It appears that Oracle portal and Oracle Application Server use that kind of trasfer because the content on those servers rely on portlets, and the final size is very difficult to determine.

So the work arround to my problem was to swith the comunication between the netscaler and the server to HTTP/1.0, since HTTP 1.0 does no support chunked the netscaler receives the trasnfer via another method.

The bug is present in the way the application firewall reconstructs the content and the is tranfered to the user.

River Styx · « **Reply #12 on:** May 29, 2008, 11:34:02 AM »

There was an issue with NetScaler (not the AppFw module) having an issue with chunked data coming from the web server to the NetScaler. This was fixed in build 55.3. However, there is still an issue with using rewrite on data sent tothe NS as chunked.

RS

evildani · « **Reply #13 on:** May 30, 2008, 02:32:51 PM »

Very good, I am going to program the update.

Should I update to latest 8.0 or 8.1?

Daniel

ZManGT · « **Reply #14 on:** June 20, 2008, 07:10:47 AM »

I found another case on our application where the App Firewall is blocking something even though it's in learn mode. How can I view the log file that is created? I've searched all over and I can't seem to locate the log even though it's enabled. I want to figure out why learn mode is blocking this function.

Thanks

Netscaler Knowledgebase

News:

Author Topic: Learning Mode is intrusive? (Read 5787 times)

evildani

Learning Mode is intrusive?

evildani

Re: Learning Mode is intrusive?

evildani

Re: Learning Mode is intrusive?

evildani

Re: Learning Mode is intrusive?

River Styx

Re: Learning Mode is intrusive?

evildani

Re: Learning Mode is intrusive?

evildani

Re: Learning Mode is intrusive?

evildani

Re: Learning Mode is intrusive?

TheOracle

Re: Learning Mode is intrusive?

evildani

Re: Learning Mode is intrusive?

evildani

Re: Learning Mode is intrusive?

evildani

Re: Learning Mode is intrusive?

River Styx

Re: Learning Mode is intrusive?

evildani

Re: Learning Mode is intrusive?

ZManGT

Re: Learning Mode is intrusive?