Imperva Cyber Community

Hello,

I have integrated one application with Imperva WAF ( In TRP Mode) and as per our observation after refreshing the application page 3 4 times, we are getting  WAF default error page.(attachment 1).

So i have edited the default error page of  variable SESSION_ID with EVENT_ID and  then getting attachment 2 error page.
In second error page i got the incident id value but still i am able to find the due to which policy violation, i am facing this issue.

I have two concerns for this.
1. Why getting this error page.
2. How to troubleshoot this issue with the help of EVENT ID.

  


#AttackAnalytics
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Tushar Sawant
Security Analyst
IBM Security
Pune, India.
------------------------------

Hello,

Have you tried searching the alert with Event Id filter?



------------------------------
Sabajete Elezaj
SNT Albania
------------------------------

Original Message:
Sent: 07-15-2020 05:23
From: Tushar Sawant
Subject: Getting WAF default error page for application

Hello,

I have integrated one application with Imperva WAF ( In TRP Mode) and as per our observation after refreshing the application page 3 4 times, we are getting  WAF default error page.(attachment 1).

So i have edited the default error page of  variable SESSION_ID with EVENT_ID and  then getting attachment 2 error page.
In second error page i got the incident id value but still i am able to find the due to which policy violation, i am facing this issue.

I have two concerns for this.
1. Why getting this error page.
2. How to troubleshoot this issue with the help of EVENT ID.

  


#AttackAnalytics
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Tushar Sawant
Security Analyst
IBM Security
Pune, India.
------------------------------

Hello,

I have tried by using Event ID filter but not able find out the alert details against error page event id.


------------------------------
Tushar Sawant
Security Analyst
IBM Security
Pune, India.
------------------------------

Original Message:
Sent: 07-15-2020 10:20
From: Sabajete Elezaj
Subject: Getting WAF default error page for application

Hello,

Have you tried searching the alert with Event Id filter?

If you are able to locate the alert based on Event ID you should be able to see which security policy is triggered and tune accordingly. 

------------------------------
Sabajete Elezaj
SNT Albania

Original Message:
Sent: 07-15-2020 05:23
From: Tushar Sawant
Subject: Getting WAF default error page for application

Hello,

I have integrated one application with Imperva WAF ( In TRP Mode) and as per our observation after refreshing the application page 3 4 times, we are getting  WAF default error page.(attachment 1).

So i have edited the default error page of  variable SESSION_ID with EVENT_ID and  then getting attachment 2 error page.
In second error page i got the incident id value but still i am able to find the due to which policy violation, i am facing this issue.

I have two concerns for this.
1. Why getting this error page.
2. How to troubleshoot this issue with the help of EVENT ID.

  


#AttackAnalytics
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Tushar Sawant
Security Analyst
IBM Security
Pune, India.
------------------------------

@Tushar Sawant, 

Thanks for the post. I talked to one of our support leaders @phil Klassen (csp) - Imperva, and he said:

The biggest reason for not finding event ID's is when the WAF cannot make a connection while in KRP/TRP/NGRP - if a connection cannot be made either with the client or the server and error page is presented with an event ID. 

The best approach is to create a custom error page and select unreachable or unknown - docs page can be found here - https://docs.imperva.com/bundle/v13.6-web-application-firewall-user-guide/page/2593.htm​​


We are working with the Product Management team @Eyal Gur, to see if there are things they can do to make this process easier in the future. As I understand it, this is a very complicated issue to resolved, but it is known. 
​​

------------------------------
Christopher Detzel
Community Manager
Imperva
------------------------------

Original Message:
Sent: 07-15-2020 05:23
From: Tushar Sawant
Subject: Getting WAF default error page for application

Hello,

I have integrated one application with Imperva WAF ( In TRP Mode) and as per our observation after refreshing the application page 3 4 times, we are getting  WAF default error page.(attachment 1).

So i have edited the default error page of  variable SESSION_ID with EVENT_ID and  then getting attachment 2 error page.
In second error page i got the incident id value but still i am able to find the due to which policy violation, i am facing this issue.

I have two concerns for this.
1. Why getting this error page.
2. How to troubleshoot this issue with the help of EVENT ID.

  


#AttackAnalytics
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Tushar Sawant
Security Analyst
IBM Security
Pune, India.
------------------------------

Hi,

The following article explains how to create that custom error page -

https://www.imperva.com/sign_in.asp?retURL=/articles/Solution/Reverse-Proxy-KRP-TRP-This-page-can-t-be-displayed-Incident-ID-is-0

As mentioned by @Christopher Detzel the most probable reason in TRP is a connection problem, usually a network or and SSL cipher suit issue from the GW to the web server or from the client to the GW.
I'd start with a telnet from the TRP gw to the web server on the relevant port (443 or what you've set).
If telnet works, disable any client and server side negotiation settings, and client authentication rules.
If the issue persists the next step is to run tcpdump on both the incoming and outgoing NICs of the gw, and figure out where the issue is.

Regards,
Roee






​

------------------------------
Roee Sharon
RSECURE
------------------------------

Original Message:
Sent: 07-15-2020 05:23
From: Tushar Sawant
Subject: Getting WAF default error page for application

Hello,

I have integrated one application with Imperva WAF ( In TRP Mode) and as per our observation after refreshing the application page 3 4 times, we are getting  WAF default error page.(attachment 1).

So i have edited the default error page of  variable SESSION_ID with EVENT_ID and  then getting attachment 2 error page.
In second error page i got the incident id value but still i am able to find the due to which policy violation, i am facing this issue.

I have two concerns for this.
1. Why getting this error page.
2. How to troubleshoot this issue with the help of EVENT ID.

  


#AttackAnalytics
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Tushar Sawant
Security Analyst
IBM Security
Pune, India.
------------------------------

I would also suggest to change the look and feel of that error page to hide Imperva WAF presence, it just adds little more security.

------------------------------
Shantanu Chaurasia
------------------------------

Original Message:
Sent: 07-15-2020 05:23
From: Tushar Sawant
Subject: Getting WAF default error page for application

Hello,

I have integrated one application with Imperva WAF ( In TRP Mode) and as per our observation after refreshing the application page 3 4 times, we are getting  WAF default error page.(attachment 1).

So i have edited the default error page of  variable SESSION_ID with EVENT_ID and  then getting attachment 2 error page.
In second error page i got the incident id value but still i am able to find the due to which policy violation, i am facing this issue.

I have two concerns for this.
1. Why getting this error page.
2. How to troubleshoot this issue with the help of EVENT ID.

  


#AttackAnalytics
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Tushar Sawant
Security Analyst
IBM Security
Pune, India.
------------------------------