Jump to content
Welcome to our new Citrix community!

APP FW BLOCKED http malformed request


Recommended Posts

Hi, currently we have a virtual server setup as below:

VIP(172.16.46.119:44200) with http protocol -> Service (172.16.48.71:44200) with http protocol.

 

User are hitting the VIP with their server (10.89.11.133), and they are getting a connection reset error. I had found this message from the ADC logs:

172.16.46.123 04/30/2019:06:34:55 GMT digi-ecomm-ns1 0-PPE-1 : default APPFW AF_MALFORMED_REQ_ERR 146438 0 : 10.89.11.133 0-PPE0 - Malformed request (Invalid headers) - connection reset <blocked>

 

Currently the ADC does not have any Application Firewall policy/profile bind to Global. Appreciate if anyone can give me info where is this default APPFW AF_MALFORMED_REQ_ERR setting.

 

Thanks in advance. 

 

Link to comment
Share on other sites

Do you have an AppFw policy bound to any specific lb/cs vserver?

 

If you are not sure, run to see if there are any appfw policies/profiles in use at the vserver level:

show ns runningconfig | grep "add appfw policy" -i   #this will return a list of appfw policies, then you can see where each is bound

show ns runningconfig | grep <policyname> -i    

-OR-

show ns runningconfg | grpe "bind lb vserver <vservername>" -i    # reviews the bind commands on the specific lb (or cs vserver), if you know which entity you are troubleshooting

 

 

The default global appfw parameters should be set, so that the global appfw engine settings have undefined action as block and default action as bypass. If the default action was changed, you might be getting a defacto action without a policy bound, but there is probably a vserver level policy (and not just a global one).

To verify these:

GUI:  Application Firewall > (right pane) Change Engine Settings

CLI:  show appfw settings

 

Once you figure which profile/policy is in use, then you can decide the best way to handle the malformed request setting. Though its information is disused here:

https://docs.citrix.com/en-us/citrix-adc/12-1/application-firewall/profiles/enforce-http-rfc-compliance.html

 

Link to comment
Share on other sites

11 hours ago, Rhonda Rowland1709152125 said:

Do you have an AppFw policy bound to any specific lb/cs vserver?

 

If you are not sure, run to see if there are any appfw policies/profiles in use at the vserver level:

show ns runningconfig | grep "add appfw policy" -i   #this will return a list of appfw policies, then you can see where each is bound

show ns runningconfig | grep <policyname> -i    

-OR-

show ns runningconfg | grpe "bind lb vserver <vservername>" -i    # reviews the bind commands on the specific lb (or cs vserver), if you know which entity you are troubleshooting

 

 

The default global appfw parameters should be set, so that the global appfw engine settings have undefined action as block and default action as bypass. If the default action was changed, you might be getting a defacto action without a policy bound, but there is probably a vserver level policy (and not just a global one).

To verify these:

GUI:  Application Firewall > (right pane) Change Engine Settings

CLI:  show appfw settings

 

Once you figure which profile/policy is in use, then you can decide the best way to handle the malformed request setting. Though its information is disused here:

https://docs.citrix.com/en-us/citrix-adc/12-1/application-firewall/profiles/enforce-http-rfc-compliance.html

 

 Hi Rhonda,

 

Thanks for your reply and info. The ADC currently have APP FW policy, and it's bound to specific target lb/cs vserver. I had tried created a policy with the APPFW_BYPASS profile and bind to the virtual server that facing the issue. Below are the info and command I had ran on the ADC. I had attached the screen shot of appfw setting as well.

 

Virtual server name: lb-InstantLink8-ExtAPI-44200

APP FW policy name: IL8_APPFW_BYPASS

 

Command and result:

> show ns runningconfig | grep "add appfw policy" -i
add appfw policy IL8_APPFW_BYPASS true APPFW_BYPASS

 

> show ns runningconfig | grep IL8_APPFW_BYPASS -i
add appfw policy IL8_APPFW_BYPASS true APPFW_BYPASS
bind lb vserver lb-InstantLink8-ExtAPI-44200 -policyName IL8_APPFW_BYPASS -priority 100 -gotoPriorityExpression END -type REQUEST

 

> show ns runningconfig | grep "bind lb vserver lb-InstantLink8-ExtAPI-44200" -i
bind lb vserver lb-InstantLink8-ExtAPI-44200 svc-InstantLink8_ExtAPI-44200
bind lb vserver lb-InstantLink8-ExtAPI-44200 svc-InstantLink8_ExtAPI_remote-44200
bind lb vserver lb-InstantLink8-ExtAPI-44200 -policyName IL8_APPFW_BYPASS -priority 100 -gotoPriorityExpression END -type REQUEST

 


logs msg:

172.16.46.123 04/30/2019:06:34:55 GMT digi-ecomm-ns1 0-PPE-1 : default APPFW AF_MALFORMED_REQ_ERR 146438 0 : 10.89.11.133 0-PPE0 - Malformed request (Invalid headers) - connection reset <blocked>

 

 

 

appfw setting.PNG

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...