WAAS Troubleshooting

WAAS connectivity monitor

WAAS connectivity monitor monitors the connection between WAAS and the protected application.
WAAS connectivity monitor aggregates data on pages served by WAAS and the application responses.
In addition, it provides easy access to WAAS related errors registered in the Defender logs (Defenders sends logs to the Console every hour).
The monitor tab becomes available when you click on an image or host protected by WAAS.
  • Last updated
    - Most recent time when WAAS monitoring data was sent from the Defenders to the Console (Defender logs are sent to the Console on an hourly basis). By clicking on the
    refresh
    button users can initiate sending of newer data.
  • Aggregation start time
    - Time when data aggregation began. By clicking on the
    reset
    button users can reset all counters.
  • WAAS errors
    - To view recent errors related to a monitored image or host, click the
    View recent errors
    link.
  • WAAS statistics:
  • Application statistics
    • Count of server responses returned from the protected application to WAAS grouped by HTTP response code prefix
    • Count of timeouts (a timeout is counted when a request is forwarded by WAAS to the protected application with no response received within the set timeout period).
Existing WAAS and application statistics counts will be lost once users reset the aggregation start time. will
not
affect WAAS errors and will not cause recent errors to be lost.
For further details on WAAS deployment, monitoring and troubleshooting please refer to the WAAS deployment page

Troubleshooting Container or Host Rules

Follow these steps to troubleshoot WAAS issues using the table below:
  1. Ensure the protected container or host is protected by WAAS - a green firewall icon should appear next to the workload’s radar entity and a "WAAS" tab should appear when clicked.
  2. Click on the workload in the rader and open WAAS connectivity monitor by clicking on the WAAS tab.
  3. Click on Reset to reset all counters.
  4. Send one or more HTTP requests to the protected application
  5. Click on Refresh and match changes in the request counters to the Connectivity Monitor Indications column in the table below
  6. If the WAAS errors counter has been incremented, click on View recent errors to view errors.

Application is not responding

Possible reasons
Connectivity Monitor Indications
Solution
A problem with the protected application
- Timeouts is incremented.
Disable WAAS rule and check if the problem persists.
- WAAS Errors counter incremented.
Prisma Sesssion Cookies is enabled and client accessing the application does not support both cookies and Javascript.
- None of the Application Statistics counters is incremented.
Please see Prisma Session Cookies section for more details.
reCAPTCHA is enabled and clients and preventing clients from reaching the protected application.
- None of the Application Statistics counters is incremented.
Please see reCAPTCHA section for more details.

Application is responding as expected yet WAAS protections do not trigger

Possible reasons
Connectivity Monitor Indications
Solution
WAAS port is not properly configured.
Incoming requests is not incremented
The App port should be set to the port on which the protected application is listening. For containers the app port should be set to the exposed port on the container (not necesarily the same as the publically exposed port).
Workload is not included in rule scope.
The workload radar entity does not have a firewall icon next to it, and the WAAS tab is not available when clicked.
Verify the workload is not in scope and adjuct scope to include it.
Workload is included in the scope of two WAAS rules (only first by order will match).
The workload radar entity does not have a firewall icon next to it, and the WAAS tab is not available when clicked.
Ensure that the desired rule matches first by altering rule scope collections or reordering rules.
HTTP hostname is included in the scope of two or more apps under the same WAAS rules (only first app by order will match).
- Application statistics counters are incremented.
Whenever multiple apps are defined in the same rule only the first app by order will match.
Request URL is not included in the list of protected endpoints.
None of the counters is getting incremented
- Verify base path ends with an * to include all subpaths - Verify HTTP hostname in the request matches the listed HTTP hostnames - Verify scheme in the request matches the scheme in the protected endpoints list (TLS is enabled/disabled accordingly)

Application is responding with HTTP errors (3XX, 4XX, 5XX)

Possible reasons
Connectivity Monitor Indications
Solution
Errors are generated by WAAS (requests are not forwarded to the protected application)
- WAAS Errors counter incremented.
Errors are generatethe the protected application
- Application statistics 3XX, 4XX or 5XX counters are incremented.
Check the protected application logs for errors.

WAAS is blocking legitimate requests

Possible reasons
Connectivity Monitor Indications
Solution
False positive
- Application statistics counters are incremented.
Add exceptions to protections causing false triggers.

WAAS events all have the same attacker IP (private IP)

Possible reasons
Connectivity Monitor Indications
Solution
Ingress controller is not set as a transparant proxy
- Application statistics counters are incremented.
Configure ingress controller as transparant proxy (enable “X-Forwarded-For” and “X-Forwarded-Host” HTTP headers).

Recommended For You