AppfW blocking and not logging, with PostBodyLimit set to >1GB
Article ID: CTX238424
Updated On:
Description
When we apply an appfirewall profile only in log and learning mode. After applying some pages become unavailable but there is no logs.
Appfw blocking but no logs, when we enable application/x-www-form-urlencoded option in the appfw security.
Resolution
++ Known issue, ++
Need to upgrade to 12.0.58.*
or
As a workaround, please add the post body limit on profile to values <=512MB, preferably to value 100MB.
Also when requests are of larger sizes, please ensure that the profile has streaming enabled. Enable streaming only if backend server is able to accept chunked requests.”
As a workaround, please add the post body limit on profile to values <=512MB, preferably to value 100MB.
Also when requests are of larger sizes, please ensure that the profile has streaming enabled. Enable streaming only if backend server is able to accept chunked requests.”
Root Cause:
Setting the window based on postbody limit from appfw profile is causing overflow of 32bit window variable.
When the post body limit is set to 4294967295(2^32-1) it’s leading TCP window size to round off and causing this issue.
It is latent issue of u32bits not handled in tcp-api for window exposed by huge value of post-body limit.
Fix:
Limit the window opened by appfw to 100MB instead of setting it to postbody limit that could be as high as 4GB.
This also fixes the issue of uploads failing with signatures enabled(happens only when sql/xss transform protection are disabled).
Need to upgrade to 12.0.58.*
or
As a workaround, please add the post body limit on profile to values <=512MB, preferably to value 100MB.
Also when requests are of larger sizes, please ensure that the profile has streaming enabled. Enable streaming only if backend server is able to accept chunked requests.”
Problem Cause
APPFW blocking data.As a workaround, please add the post body limit on profile to values <=512MB, preferably to value 100MB.
Also when requests are of larger sizes, please ensure that the profile has streaming enabled. Enable streaming only if backend server is able to accept chunked requests.”
Root Cause:
Setting the window based on postbody limit from appfw profile is causing overflow of 32bit window variable.
When the post body limit is set to 4294967295(2^32-1) it’s leading TCP window size to round off and causing this issue.
It is latent issue of u32bits not handled in tcp-api for window exposed by huge value of post-body limit.
Fix:
Limit the window opened by appfw to 100MB instead of setting it to postbody limit that could be as high as 4GB.
This also fixes the issue of uploads failing with signatures enabled(happens only when sql/xss transform protection are disabled).
Additional Information
We already have a bug 708394 for the same.
Was this article helpful?
Yes
No
Powered by
