Search Imperva Community for
Hi Durai,Thanks for posting. Would you be able to provide some more information that might help our members answer your query? Have you changed anything recently?
I also wonder if this community blog might be useful. Remember to log in in order to see it.
Let me know how you get on with this.Thanks,
impctl support server show --alert-info-days=1
Alert tablespace by type - total
Alert occurrences per policy - up to last 1 day(s), 5 results
Firewall Network Protocol Violations Po SSL Untraceable Connection 22-MAY 18:33 1022805
Protocol HTTP/1.x Protocol Policy Illegal Byte Code Character in 22-MAY 18:33 290022
Protocol HTTP/1.x Protocol Policy Malformed HTTP Header Line 22-MAY 18:33 157888
Protocol HTTP/1.x Protocol Policy Illegal HTTP Version 22-MAY 18:33 107008
Protocol HTTP/1.x Protocol Policy Illegal Byte Code Character in 22-MAY 18:33 36042
Hi, Durai.I can point you in the right direction, but unfortunately, this topic is a bit more involved than something that can be answered over a forum. This is an area where our Professional Services team could resolve this quickly. https://www.imperva.com/support/services/ Regarding the alerts, your number one issue is with SSL Untraceable Connection (https://docs.imperva.com/bundle/on-premises-knowledgebase-reference-guide/page/ssl_untraceable_connection.htm) at over 1,022,805 events. This alert informs you that the GW cannot decrypt the traffic. This is bad, as it means all that traffic is passing uninspected. The most common cause for this error message is that you are missing the correct certificate/private key for the IP that is being monitored. The second most common reason is that the IP being monitored is using Diffie-Hellman ciphers, which requires the use of Transparent Reverse Proxy (https://docs.imperva.com/bundle/v13.6-administration-guide/page/7200.htm) mode to decrypt.The last 4 alerts, Illegal Byte Code Character, Malformed HTTP Header Line, Illegal HTTP Version and Illegal Byte Code Character are likely occurring because you are monitoring non-HTTP compliant traffic. This could be something like a remote desktop session, an SSL VPN, or something along those lines. The stream and payloads do not conform to HTTP standards and will generate a lot of "noise" in the alerts.
By the way, these last 4 alerts combined are only responsible for 590,960 alerts in comparison to the 1,022,805 generated by Untraceable SSL Connections.
Hi Durai,While I would love to help, it's something that's a bit more complex than what can be resolved through forum posts. I highly recommend leveraging our Professional Services https://www.imperva.com/support/services/ to resolve this situation.With that being said, based on your screenshot, there is one more thing to check. By default, the WAF will learn ALL content. This is undesirable as we are not concerned with static content like images, etc. For the application in the screenshot, under Setup and sites - click the Web Profile level and ensure the URL learning settings are set to Learn all URLs except static URLs without Parameters.
Please see https://docs.imperva.com/howto/fdcdc70a for more information.Once this has been completed, the profile will not "auto clean" itself - you must either remove all static files from the profile manually (extremely tedious) or delete the profile to learn again under the new settings.
or Contact Us
Copyright @ 2019 Imperva. All rights reserved