This section explains the WAF Logs Analytics feature available for virtual service in the Avi Load Balancer.

When a WAF Policy is attached to a virtual service, specific WAF logs are generated. To view the log files:

  1. Navigate to Applications > Virtual Services.

  2. Click the Virtual Service mapped to the WAF Policy and navigate to Logs.

  3. The logs can be filtered to view specific WAF entries. Type WAF in the search bar to populate the available options.

Note:

The same filters can be used for WAF Analytics.

WAF Memory Consumption per Transaction

The virtual service application WAF log includes the memory_allocated field. This field specifies the amount of memory used (in bytes) during WAF request processing.

During WAF processing, the SE captures the memory allocation stats before and after each WAF phase. The difference is used to track the total memory allocated. This method does not track any memory allocations that are made and freed within a WAF phase.

This represents the memory that contributes to overall memory pressure when many requests are being processed simultaneously.

WAF Logs when TLS SNI and Host Header are Different

The Avi Load Balancer supports flagging of traffic through WAF when TLS SNI and the host header are different.

Use the following CRS rule to flag the HTTP request for which TLS SNI and host header are different.

SecRule TX:sni_hostname "!@streq %{REQUEST_HEADERS:Host}" "id:'137',phase:1,log,deny,status:403,msg:'SNI-Host-Header mismatch'"

With this rule in place, the Avi Load Balancer returns the response code 200 if the SNI host name and host header are the same. The response code 403 is returned if the SNI host name and host header are different. For non-SSL traffic, the response code is 403, irrespective of the presence of the host header.