Customer upgraded an Ha pair from Netscaler 10.5 60.7.After upgrade customer experienced application firewall block due to signature violation. During troubleshooting it was identified that signature id 2441 was causing the block .When customer tried to edit the signature id, to disable block they were not able to proceed further ie after unchecking unblocking and clicking OK ,they were getting an error import saying resource failed. Looking at the logs i could the see the import from local signature file is failing. I followed the below approach to temporarily alleviate the issue. I am suspecting that this is because during the upgrade the base version and schema is was not getting updated.



1)On looking at the signatures i could see that the base version of the default file and custom signatures are not matching. 
2)Doing an Edit we are seeing an import error in ns.log. Possible reason is the default signature and base version was mismatching 
3)To proceed further we exported the Signature object from secondary and try to import it on primary and it failed. 
4)As the next course of action we updated the primary customer object to Base version 12 and we noticed that we are able to edit. 
5)We observed that it was not retaining any previous changes. 
6)We where able to resolve the issue by enabling all the signature ID and blocking 39 signatures ID using the excel file we have. 

Current issues:
-During troubleshooting we observed that the base version of custom signature was 12 and Schema was 5.Now when i look the default signature it is showing base version as 7 and schema 3.
Note:


 
Errors I saw:
1)When I tried to edit a profile.
_39/var/log]$ cat ns.log | grep import
Feb 17 07:00:21 <local0.info> ICL-PUN-DC2-WAF-SEC /netscaler/upgrade_appfw_impor ts.pl: Removed /nsconfig/updated_signatures.xml
Feb 17 07:00:21 <local0.info> ICL-PUN-DC2-WAF-SEC /netscaler/upgrade_appfw_impor  ts.pl: Removed /var/tmp/_appfw_scan_xsl_files
Feb 17 07:00:21 <local0.info> ICL-PUN-DC2-WAF-SEC /netscaler/upgrade_appfw_impor  ts.pl: Upgrading imported AppFw files using script: /netscaler/upgrade_appfw_imp orts.pl
 

 
 
 
 
 
 
 
 

Workaround: delete the file /nsconfig/updated_signatures.xml 
Solution:  use 11.0-64.1+ build

---

Problem Cause

based on the /upload dir, all custom sigs have the good schema version (5).


Problem found: there is an old file in /nsconfig/updated_signatures.xml  (with schema 3)
This will overwrite the file under /netscaler/default_signatures.xml (schema 5, which is not saved in the /upload dir).

This updated file is supposed to be removed during upgrade by the /netscaler/upgrade_appfw_imports.pl  program which was fixed in 11.0-64.1+ build.