Imperva Cyber Community

Expand all | Collapse all

Getting WAF default error page for application

  • 1.  Getting WAF default error page for application

    Posted 22 days ago
    Hello,

    I have integrated one application with Imperva WAF ( In TRP Mode) and as per our observation after refreshing the application page 3 4 times, we are getting  WAF default error page.(attachment 1).

    So i have edited the default error page of  variable SESSION_ID with EVENT_ID and  then getting attachment 2 error page.
    In second error page i got the incident id value but still i am able to find the due to which policy violation, i am facing this issue.

    I have two concerns for this.
    1. Why getting this error page.
    2. How to troubleshoot this issue with the help of EVENT ID.

      


    #AttackAnalytics
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Tushar Sawant
    Security Analyst
    IBM Security
    Pune, India.
    ------------------------------


  • 2.  RE: Getting WAF default error page for application

    Impervian
    Posted 22 days ago
    Hello,

    Have you tried searching the alert with Event Id filter?



    If you are able to locate the alert based on Event ID you should be able to see which security policy is triggered and tune accordingly. 


    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 3.  RE: Getting WAF default error page for application

    Posted 22 days ago
    Hello,

    I have tried by using Event ID filter but not able find out the alert details against error page event id.


    ------------------------------
    Tushar Sawant
    Security Analyst
    IBM Security
    Pune, India.
    ------------------------------



  • 4.  RE: Getting WAF default error page for application

    Community Manager
    Posted 22 days ago
    @Tushar Sawant

    Thanks for the post. I talked to one of our support leaders @Phil Klassen, and he said:

    The biggest reason for not finding event ID's is when the WAF cannot make a connection while in KRP/TRP/NGRP - if a connection cannot be made either with the client or the server and error page is presented with an event ID. 

    The best approach is to create a custom error page and select unreachable or unknown - docs page can be found here
    https://docs.imperva.com/bundle/v13.6-web-application-firewall-user-guide/page/2593.htm​​


    We are working with the Product Management team @Eyal Gur, to see if there are things they can do to make this process easier in the future. As I understand it, this is a very complicated issue to resolved, but it is known. 
    ​​

    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva
    ------------------------------



  • 5.  RE: Getting WAF default error page for application

    Posted 21 days ago
    Hi,

    The following article explains how to create that custom error page -
    https://www.imperva.com/sign_in.asp?retURL=/articles/Solution/Reverse-Proxy-KRP-TRP-This-page-can-t-be-displayed-Incident-ID-is-0

    As mentioned by @Christopher Detzel the most probable reason in TRP is a connection problem, usually a network or and SSL cipher suit issue from the GW to the web server or from the client to the GW.
    I'd start with a telnet from the TRP gw to the web server on the relevant port (443 or what you've set).
    If telnet works, disable any client and server side negotiation settings, and client authentication rules.
    If the issue persists the next step is to run tcpdump on both the incoming and outgoing NICs of the gw, and figure out where the issue is.

    Regards,
    Roee








    ------------------------------
    Roee Sharon
    RSECURE
    ------------------------------



  • 6.  RE: Getting WAF default error page for application

    Posted 19 days ago
    I would also suggest to change the look and feel of that error page to hide Imperva WAF presence, it just adds little more security.

    ------------------------------
    Shantanu Chaurasia
    ------------------------------