Imperva Cyber Community

Hi Durai,

Thanks for posting. Would you be able to provide some more information that might help our members answer your query? Have you changed anything recently? 

I also wonder if this community blog might be useful. Remember to log in in order to see it.

Imperva WAF Gateway – Tuning Web Profiles

Let me know how you get on with this.

Thanks,

Sarah

Hi Durai,

Thanks for posting. Would you be able to provide some more information that might help our members answer your query? Have you changed anything recently? 

I also wonder if this community blog might be useful. Remember to log in in order to see it.

Imperva WAF Gateway – Tuning Web Profiles

Let me know how you get on with this.

Thanks,

Sarah

impctl support server show --alert-info-days=1

-------------------------------------------------------------------------------------------------------------

Alert tablespace by type - total

-------------------------------------------------------------------------------------------------------------

Profile         87%

Protocol        10%

Signature       1%

Custom          1%

Firewall        1%

-------------------------------------------------------------------------------------------------------------

Alert occurrences per policy - up to last 1 day(s), 5 results

-------------------------------------------------------------------------------------------------------------

        Firewall        Network Protocol Violations Po  SSL Untraceable Connection      22-MAY 18:33    1022805

        Protocol        HTTP/1.x Protocol Policy        Illegal Byte Code Character in  22-MAY 18:33    290022

        Protocol        HTTP/1.x Protocol Policy        Malformed HTTP Header Line      22-MAY 18:33    157888

        Protocol        HTTP/1.x Protocol Policy        Illegal HTTP Version            22-MAY 18:33    107008

        Protocol        HTTP/1.x Protocol Policy        Illegal Byte Code Character in  22-MAY 18:33    36042

Hi Durai,

Thanks for posting. Would you be able to provide some more information that might help our members answer your query? Have you changed anything recently? 

I also wonder if this community blog might be useful. Remember to log in in order to see it.

Imperva WAF Gateway – Tuning Web Profiles

Let me know how you get on with this.

Thanks,

Sarah

Hi, Durai.

I can point you in the right direction, but unfortunately, this topic is a bit more involved than something that can be answered over a forum. This is an area where our Professional Services team could resolve this quickly. https://www.imperva.com/support/services/ 

Regarding the alerts, your number one issue is with SSL Untraceable Connection (https://docs.imperva.com/bundle/on-premises-knowledgebase-reference-guide/page/ssl_untraceable_connection.htm) at over 1,022,805 events. This alert informs you that the GW cannot decrypt the traffic. This is bad, as it means all that traffic is passing uninspected. The most common cause for this error message is that you are missing the correct certificate/private key for the IP that is being monitored. The second most common reason is that the IP being monitored is using Diffie-Hellman ciphers, which requires the use of Transparent Reverse Proxy (https://docs.imperva.com/bundle/v13.6-administration-guide/page/7200.htm) mode to decrypt.

The last 4 alerts, Illegal Byte Code Character, Malformed HTTP Header Line, Illegal HTTP Version and  Illegal Byte Code Character are likely occurring because you are monitoring non-HTTP compliant traffic. This could be something like a remote desktop session, an SSL VPN, or something along those lines. The stream and payloads do not conform to HTTP standards and will generate a lot of "noise" in the alerts.

By the way, these last 4 alerts combined are only responsible for 590,960 alerts in comparison to the 1,022,805 generated by Untraceable SSL Connections.

impctl support server show --alert-info-days=1

-------------------------------------------------------------------------------------------------------------

Alert tablespace by type - total

-------------------------------------------------------------------------------------------------------------

Profile         87%

Protocol        10%

Signature       1%

Custom          1%

Firewall        1%

-------------------------------------------------------------------------------------------------------------

Alert occurrences per policy - up to last 1 day(s), 5 results

-------------------------------------------------------------------------------------------------------------

        Firewall        Network Protocol Violations Po  SSL Untraceable Connection      22-MAY 18:33    1022805

        Protocol        HTTP/1.x Protocol Policy        Illegal Byte Code Character in  22-MAY 18:33    290022

        Protocol        HTTP/1.x Protocol Policy        Malformed HTTP Header Line      22-MAY 18:33    157888

        Protocol        HTTP/1.x Protocol Policy        Illegal HTTP Version            22-MAY 18:33    107008

        Protocol        HTTP/1.x Protocol Policy        Illegal Byte Code Character in  22-MAY 18:33    36042

Hi Durai,

Thanks for posting. Would you be able to provide some more information that might help our members answer your query? Have you changed anything recently? 

I also wonder if this community blog might be useful. Remember to log in in order to see it.

Imperva WAF Gateway – Tuning Web Profiles

Let me know how you get on with this.

Thanks,

Sarah

Alert tablespace by type - total

-------------------------------------------------------------------------------------------------------------

Profile         87%

Hi, Durai.

I can point you in the right direction, but unfortunately, this topic is a bit more involved than something that can be answered over a forum. This is an area where our Professional Services team could resolve this quickly. https://www.imperva.com/support/services/ 

Regarding the alerts, your number one issue is with SSL Untraceable Connection (https://docs.imperva.com/bundle/on-premises-knowledgebase-reference-guide/page/ssl_untraceable_connection.htm) at over 1,022,805 events. This alert informs you that the GW cannot decrypt the traffic. This is bad, as it means all that traffic is passing uninspected. The most common cause for this error message is that you are missing the correct certificate/private key for the IP that is being monitored. The second most common reason is that the IP being monitored is using Diffie-Hellman ciphers, which requires the use of Transparent Reverse Proxy (https://docs.imperva.com/bundle/v13.6-administration-guide/page/7200.htm) mode to decrypt.

The last 4 alerts, Illegal Byte Code Character, Malformed HTTP Header Line, Illegal HTTP Version and  Illegal Byte Code Character are likely occurring because you are monitoring non-HTTP compliant traffic. This could be something like a remote desktop session, an SSL VPN, or something along those lines. The stream and payloads do not conform to HTTP standards and will generate a lot of "noise" in the alerts.

By the way, these last 4 alerts combined are only responsible for 590,960 alerts in comparison to the 1,022,805 generated by Untraceable SSL Connections.

impctl support server show --alert-info-days=1

-------------------------------------------------------------------------------------------------------------

Alert tablespace by type - total

-------------------------------------------------------------------------------------------------------------

Profile         87%

Protocol        10%

Signature       1%

Custom          1%

Firewall        1%

-------------------------------------------------------------------------------------------------------------

Alert occurrences per policy - up to last 1 day(s), 5 results

-------------------------------------------------------------------------------------------------------------

        Firewall        Network Protocol Violations Po  SSL Untraceable Connection      22-MAY 18:33    1022805

        Protocol        HTTP/1.x Protocol Policy        Illegal Byte Code Character in  22-MAY 18:33    290022

        Protocol        HTTP/1.x Protocol Policy        Malformed HTTP Header Line      22-MAY 18:33    157888

        Protocol        HTTP/1.x Protocol Policy        Illegal HTTP Version            22-MAY 18:33    107008

        Protocol        HTTP/1.x Protocol Policy        Illegal Byte Code Character in  22-MAY 18:33    36042

Hi Durai,

Thanks for posting. Would you be able to provide some more information that might help our members answer your query? Have you changed anything recently? 

I also wonder if this community blog might be useful. Remember to log in in order to see it.

Imperva WAF Gateway – Tuning Web Profiles

Let me know how you get on with this.

Thanks,

Sarah