Jump to content
Welcome to our new Citrix community!
  • 0

Can't login to content mobile store after apply WAF

Sochorn Chan


Anyone please assist my issue that we can't login to my mobile store after apply WAF policy to virtual servers and the security profile is  just enable for learning mode to monitor but we really wonder that why it does block since we nothing enable security check to block or any transform and we nothing found any message block but we just see some log like this: 



Info CEF:0|Citrix|NetScaler|NS12.1|APPFW|APPFW_SQL|6|src= geolocation=Unknown spt=44146 method=GET request=https://vps.mydomain.com:9444/Store/Content/bootstrap/custom/font-awesome/fonts/fontawesome-webfont.eot? msg=SQL Keyword check failed for header Origin\="" cn1=57925992 cn2=119579332 cs1=APPFW_Profile cs2=PPE0 cs3=WsnsBt+upJk11Mhkj0Os8gdyeMc0002 cs4=ALERT cs5=2021 act=not blocked


Regard and Thanks



Link to comment

7 answers to this question

Recommended Posts

  • 0
2 hours ago, Carl Stalhood1709151912 said:

Do you have any signatures linked to the profile?


By default, the profile blocks invalid HTTP requests. You can turn that off. https://docs.citrix.com/en-us/citrix-adc/current-release/application-firewall/profiles/enforce-http-rfc-compliance.html

Thanks @Carl Stalhood for your information. Yes, I did bound signature to the profile as well and regarding this guide also not working that I set it as APPFW_RFC_BYPASS mode on the profile level.


Link to comment
  • 0
1 hour ago, Carl Stalhood1709151912 said:

If you remove the signatures, does it work?


Is AppFW Engine Logging set to CEF enabled? If so, from ADC CLI Shell, run "grep act=blocked /var/log/ns.log" to see if a signature rule is blocking.

Yes, Sure. I set it as CEF format. 

I have tried remove signature from that profile ready but we still couldn't login and no see any logging as blocked. 


Link to comment
  • 0

A couple of other things:

- What version of firmware (in case it is a factor)? 

- Your log event mentions port 9444 in the URL that was flagged. Is your vserver listening on the correct range of ports. Is the vserver on HTTPS:9440 only or a mixture of HTTPS:443 and HTTPS:9440.  Is it possible that any of the start/deny urls or other  URL-based relaxations are NOT accounting for this port in the client-side requests?


Do you have start urls configured?  Is closure on or off?  (Even if your behavior is set to not block; minimal start urls usually need to be configured.)


Does your syslog include info and higher or are you otherwise limiting the content in syslog? (I've see this exclude critical info before.)

Is it possible your Appfw events were separated into a separate log from syslog.

Just view the current syslog output to see if AppFw events are being reported:


cd /var/log

tail -f ns.log | grep APPFW

See this article to see if appfw is logging separately from syslog affecting your view of the event output:  



You could also try running an nstrace with appfw logging enabled in the log parameters AND enable the "trace" option in the appfw profile (checkbox above).  (Trace and profile must be set for appfw tracing.)

To see if anything else is going on in your traffic flow. This should allow you to see the regular request/response and the appfw events within the trace.

I would include log filtering for traffic from a given source ip (connection.ip.eq) and include the "trace filtered connection's peer traffic" along with the "appfw trace" option and either of the necessary settings for decrypting a trace.  Maybe something else is happening to the traffic resulting in the error that is NOT an appfw block event.



Link to comment
  • 0

Hi Rhonda Rowland,

Thanks very much for your attention.

Currently, I'm running firmware version 12.1 and my back-end server side is listen port 9444 bound with SSL certificate. our back-end side are running IIS service and we just custom running this port for pre-production and related AppFW profile is just enable for learning mode and closure url also off. But it working in case I change AppFW custom profile to AppFW_BYPASS.

The syslog is store and logging as local and we nothing see any message blocked that content and I also try to diagnostic by trace and analysis found that there is completed SSL handshake as well.

Link to comment
  • 0

Which exact version of 12.1 as there may be firmware dependent bugs?


IF the port is only pesent server side but also appears in links client side then a) you need a listener and b) your url based rules may need to include/allow :9444 as well. Can't tell for sure in your example.


The appfw trace will show appfw violations in addition to the traffic flow. In case you see something you don't see normally.


Since you are seeing SQL failures, you can try turning off individual checks and try one thing at a time until you find your problem.  Always start with a proper starturl configuration as this can impact other checks.  Run the trace with appfw tracing enabled (remember both in trace and permitted in appfw profile) for appfw events.  Be sure LOG is enabled in the appfw check(s) you are testing.


1) Profile off: page load test

2) Profile ON: but no signatures, minimal checks enabled. But Start with your Start URLs properly configured and see if it works or not. 

At this point, confirm start url mode: url closure on/off or referer header validation; depending on closure on/off, will affect initial require start urls.

modify and test until page loads, before moving on to other checks.


3) After STart URls are working, then proceed to signatures and other checks until you find the problem.




Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...