Trace HTML Requests with Application Firewall Security Violation Logs on NetScaler Appliance

Trace HTML Requests with Application Firewall Security Violation Logs on NetScaler Appliance

book

Article ID: CTX200351

calendar_today

Updated On:

Description

The NetScaler offers the option to isolate traffic for a specific Application Firewall profile and collect nstrace for HTML requests that trigger a log, block action or have malformed requests. The nstrace collected in "–appfw" mode will have details of the entire request including the Application Firewall generated log messages.

This enhancement helps in troubleshooting the NetScaler ADC and offers the following benefits:

  • Isolate traffic for specific profile: This enhancement is quite useful when you want to isolate traffic for only one profile or specific transactions of a profile for troubleshooting. You no longer have to skim through the entire data collected in the trace or need special filters to isolate requests that are of interest which can be tedious especially with heavy traffic.

  • Collect data for specific requests: The trace can be collected for a specified duration. You can collect trace for only a couple of requests to isolate, analyze, and debug specific transactions, if needed.

  • View decrypted SSL traffic: HTTPS traffic is captured in plain text to allow for easier troubleshooting.

  • Provides comprehensive view: Allows you to examine the entire request at the packet level, verify the payload, look at the logs to verify which security check violation is being triggered and identify the match pattern in the payload. If the payload consists of any unexpected data, junk strings, or non-printable characters (null character, \r or \n, and so on), they are easy to discover in the trace.  

  • Modify configuration: The debugging can provide useful information to decide if the observed behavior is the correct behavior or the configuration should be modified.

  • Expedite response time: Faster debugging on target traffic can improve the response time to provide explanations and/or root cause analysis by Citrix engineering and support team.  

To configure debug tracing for a profile using the NetScaler command line interface, complete the following procedure:

  1. Run the following command to enable tracing for the desired profile:
    set appfw profile <profile> -trace ON

  2. Run the following command to start collecting trace:
    start nstrace -mode APPFW

  3. Run the following command to stop collecting the trace:
    stop nstrace

The following is an example of a log record in the trace:

User-added image

Note: This article is applicable to NetScaler 10.5 build 53.9010.e.

Issue/Introduction

The NetScaler Application Firewall offers the option to isolate traffic for a specific profile and collect nstrace for HTML requests that trigger a log, block action or have malformed requests.
Powered by Wolken Software