LevelBlue Knowledge Base » Knowledgebase » Legacy Products » WAF

End-of-Life for Trustwave Web Application Firewall

Charles — Wed, 04 Sep 2019 15:50:20 GMT

This article applies to:

Trustwave Web Application Firewall (WAF)

Information:

Trustwave is announcing the End-of-Life (EOL) for Trustwave Web Application Firewall (WAF) effective September 30, 2020. Please note that after September 30, 2020, software maintenance releases, including security patches and bug fixes, will no longer be issued for Trustwave WAF.

We recommend that customers currently using Trustwave WAF migrate to our new Trustwave Managed WAF offering (available beginning October 1, 2019), leveraging Akamai’s market leading solution and Trustwave market leading managed services.

Key dates are as follows:

End-of-sale (EOS) effective date: September 1, 2019
End-of-life (EOL) effective date: September 30, 2020

For more information on additional capabilities, benefits and migration information, see Trustwave WAF End-Of-Life Frequently Asked Questions (FAQ), attached to this article.

Trustwave WAF customers will be contacted by their Trustwave Account Manager with more information regarding the new platform and service as well as an explanation of the migration path to the new solution.

For more information or questions regarding the migration process, please contact your Trustwave Account Manager.

Manually loading the license on a standby WebDefend appliance

Piotr Dłubisz — Thu, 04 May 2017 05:54:23 GMT

This article applies to:

WebDefend - All versions

Question:

How do I upload a new license to a WebDefend appliance that is in stand-by mode?

Procedure:

To manually load the license on a standby WebDefend appliance:

Using a program such as WinSCP, copy the license to the standby WebDefend appliance to /home/bgse/pub
SSH to the standby appliance as bgse, then "su -" and login as root
Change to the directory:

cd /home/bgse/pub
Copy and rename the license to the correct file name (assume for this example that the uploaded license file is 2A43C.lic):

# cp 2A43C.lic /usr/local/opt/breach/breach.lic

Notes:

The filename MUST be breach.lic

Upgrade to version 8.0 fails (jntm fails to start services)

James Swart — Thu, 02 Feb 2017 15:17:14 GMT

This article applies to:

Trustwave WAF (WebDefend)
Upgrading to version 8.0 from 7.5 and up.

Problem:

After upgrade to WAF 8.0, services will not start.

Symptoms:

Error in jntm logs:

2017-01-26 17:30:27,349 ERROR[org.jboss.as.controller.management-operation] (Controller Boot Thread)JBAS014613: Operation ("add") failed - address:([("interface" => "external")]) - failure description:"JBAS014704: '' is an invalid value for parameter inet-address. Values must have a minimum length of 1 characters"2017-01-26 17:30:27,350 FATAL [org.jboss.as.server](Controller Boot Thread) JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.2017-01-26 17:30:27,368 INFO  [org.jboss.as] (MSCservice thread 1-10) JBAS015950: WildFly 8.2.0.Final "Tweek" stopped in 12ms

Verify Issue:

In the file /opt/breach/bwd/jntm/configuration/standalone.xml the entry for <interface name="external">.<inet-address value> is blank.

Example of bad configuration:

<interfacename="external"><inet-address value=""/></interface>

Resolution:

Replace the file maintenance.conf in /opt/breach/bwd with maintenance.conf.oldver
Restart services.

Preventing "Slow HTTP" Attacks

Andrew Davies — Mon, 23 Jan 2017 18:38:58 GMT

This article applies to:

WAF 8.0

Question:

Can Trustwave WAF detect and mitigate "slow HTTP" attacks?

Information:

Yes, WAF 8.0 and above can detect, report, and prevent slow client Denial of Service (DoS) attacks, where an attacker deliberately sends multiple partial HTTP requests to the server.

In such an attack, the client attempts to consume server resources by slowing the request or response, holding connections and memory resources open on the server for a long time, but without triggering session time-outs. This behavior can make the server unable to respond to legitimate requests from other clients.

Resetting a forgotten password from the Maintenance Tool (SSH) in WebDefend Version 5.1 and above

Andrew Davies — Mon, 23 Jan 2017 18:38:42 GMT

This article applies to:

WebDefend (WAF) 5.1 and above

Question:

I've locked my user out of the console (GUI)
How do I reset my user password?

Procedure:

Note: This procedure will require you to stop services on the appliance.

Log into the appliance via ssh with elevated privileges using either of the methods below.
1. Log in as bgse then switch to root su -
  - Run the following command to start the bgoperator: su - bgoperator
2. ssh directly as bgoperator, which will run the bgoperator menu.
Maintenance tool - Version 5.1 (7.10.107)
bwd-7.10.107-1
Machine Type is: STAND-ALONE
Deployment Mode is: OUT OF LINE

---------
Main Menu
---------
1 -- Online Menu
2 -- Offline Menu
3 -- System Menu
? -- Help
Chose option 2 -- Offline Menu

------------
Offline Menu
------------
1 -- Configuration Menu
2 -- Import - Export Menu
3 -- System Events Menu
4 -- DB maintenance Menu
5 -- License Management Menu
6 -- Audit Log Menu
q -- Return to Previous Menu
? -- Help
Choose option 1 -- Configuration Menu
Note: This will require you to stop services on the appliance.

----------------------

Configuration Menu
------------------
1 -- Reset all configuration
2 -- Initial Settings
3 -- Change user type from remote to local
4 -- Reset WebDefend Console user list to default users and passwords
5 -- Unlock all WebDefend Console users and set their passwords to the default value
6 -- Unlock WebDefend Console user and set password to the default value
7 -- Reset log files
8 -- Networks interface cards (NICs) roles
9 -- Advanced Inline configurations
10 -- Enable/disable signature matching for HTTP free-form parameters
11 -- BreachMarks Boundaries Menu
q -- Return to Previous Menu
? -- Help
Choose option 6 -- Unlock WebDefend Console user and set password to the default value.
- You will see something similar to the output below.
All services are down
The following users were found:
User's ID= 1 Name= bgadmin Organization=1
User's ID= 2 Name= bgse Organization=1
User's ID= 3 Name= bob Organization=1
User's ID= 4 Name= jim Organization=1
User's ID= 5 Name= bill Organization=1
Enter user's ID
>
Enter the user id number. The system will ask if you want to proceed.
- Type yes.
Once the user's password has been reset you must start the services. Press 'q' several times to get back to the main menu.

---------

Main Menu
---------
1 -- Online Menu
2 -- Offline Menu
3 -- System Menu
? -- Help
Choose option 1 -- Online Menu

-----------

Online Menu
-----------
1 -- WebDefend System Commands Menu
2 -- WebDefend Enterprise Manager Commands Menu
3 -- WebDefend Service Commands Menu
4 -- WebDefend Watchdog Menu
q -- Return to Previous Menu
? -- Help
Choose option 1 -- WebDefend System Commands Menu

-----------------------------

WebDefend System Commands Menu
------------------------------
1 -- WebDefend System Status
2 -- Start WebDefend System
3 -- Stop WebDefend System
q -- Return to Previous Menu
? -- Help
Choose option 2 -- Start WebDefend System
After the services have started, log in to the console with the user name and default password.
- Note: Please refer to the WebDefend Getting Started Guide for the default password.
You will be prompted to enter and verify a new password and select a location (default C:) to store the .prk file.

Notes:

Default passwords can be found in the WebDefend Getting Started Guide.
Trustwave highly recommends changing the default password. Passwords must be PCI compliant.
The Reset User Password option is disabled for remotely authenticated users. For more information, see "Remote User Authentication" in the WebDefend User Guide. Contact your LDAP administrator to reset a password for a remote user that is authenticated via LDAP.

Cannot log in to WAF due to expired certificate

Andrew Davies — Mon, 23 Jan 2017 18:38:05 GMT

This article applies to:

WAF (WebDefend) 7.6 GA and older.

Symptoms:

Cannot log in to WAF from the console

Causes:

The certificate used for authentication has expired as of 10 July 2016

Resolution:

To resolve this issue, download and install new certificate files.

Updated certificates are available for download from the Trustwave Support Portal (https://login.trustwave.com/).
- Log in to the portal and navigate to File Library > private > WAF > WebDefend > Console certificate > newcerts.zip
- If you do not have permission to access this file, contact Trustwave TAC.
Download this file from the location above in the Trustwave Support Portal.
Copy the zip file to each WAF appliance (/home/bgse/pub) using WinSCP or other copying methods.
Log in to the WAF system.
Change to the /home/bgse/pub directory (must be root).
Unzip the file while in the /home/bgse/pub directory.
Replace the ca.crt file in /opt/breach/bwd/common with the new file:
# cp /home/bgse/pub/ca.crt /opt/breach/bwd/common/ca.crt
Replace the console.crt file in /opt/breach/bwd/conf with the new file:
# cp /home/bgse/pub/console.crt /opt/breach/bwd/conf/console.crt
Replace the console.jks file in /opt/breach/reporting/ with the new file:
# cp /home/bgse/pub/console.jks /opt/breach/reporting/console.jks
Restart all services using one of the following methods:
- From root, su bgoperator then use menu options 1, 1, 4 restart services
- From the command line interface: service all_services_init restart
On PCs where the console is installed:
- Ensure the Console is not running
- Replace the file console.crt in %BGD_HOME%\conf_tools with the new file.

Notes:

On a distributed WAF installation, the WAF certificates must be replaced and services restarted on all machines (the NTM and the sensors).
If you are connecting to a Terminal Server or using Remote Desktop, you must upgrade to version 7.6. This is required due to an issue with Windows reading the user rights.

SSL Termination with WAF 7.6 and above

James Swart — Mon, 09 Jan 2017 07:49:16 GMT

This article applies to:

WebDefend 7.6 and above

Question:

Can WAF perform SSL Termination?

Reply:

Yes, WAF 7.6 and above provides the option of "SSL Termination" (decoding client requests and passing the requests to the web server as unencrypted HTTP).

In the WAF console you will find a new protocol available when configuring network settings: SSL Termination.
When you choose this configuration, you can configure different ports for WS (web server) and WAF.
In the example below:
- Encrypted traffic is sent to WAF on port 443.
- WAF opens and inspects the traffic, and then forwards the decoded traffic to the web server on port 80.

Finding the Open SSL Version used by WAF

Piotr Dłubisz — Mon, 10 Oct 2016 06:00:34 GMT

This article applies to:

All Versions of WAF

Question:

How can I tell what version of SSL the WAF is using?
The SSL Spec for WAF 7.5 SP4 shows that WAF uses OpenSSL 1.0.1s. However, in /opt/breach/bwd/lib the versions of both libssl and libcrypto appear as 1.0.0.

Procedure:

WAF installs and uses its own copy of OpenSSL executables. This may not be the same version as the OpenSSL provided by the operating system.

To determine the version of OpenSSL used by WAF:

Connect to the WAF server using SSH
Log in as BGSE> su - for root.
Type:

# export LD_LIBRARY_PATH=/opt/breach/bwd/lib; /opt/breach/bwd/bin/openssl version
You can also determine the version of OpenSSL used by the operating system by simply typing:

# openssl version

Resetting a forgotten WebDefend root password

Piotr Dłubisz — Mon, 10 Oct 2016 05:00:23 GMT

This article applies to:

WAF/WebDefend 5.X and above.

Question:

I'm locked out of the root account. How do I reset it?

Procedure:

Note: These procedures require physical access to the WebDefend appliance and will take the system offline for the duration of the procedure.

For 6.x

Reboot or power cycle the WebDefend appliance.
- Note: The device starts and gives the option "to enter bios press Delete". Do not press Delete at this point, but wait for a second screen to display and then quickly press Delete.
Press the Delete key repeatedly until you see the GNU Grub.
- If connected directly to the physical console (VGA), enter Single Mode.
- If connected through the serial port, enter Single mode – Serial console.
This should boot the system up in single user mode.
You can then change the password using the following command:

passwd

For bgse:

passwd bgse
Once you have successfully changed the password you can then reboot the appliance by issuing the following command:

reboot

For 5.X

Reboot or power cycle the WebDefend appliance.
Press the Delete key repeatedly until you see the BIOS password screen.
Press the Escape key and immediately start pressing the Delete key again repeatedly (NOTE: You have to do this fairly quickly)
At this point you should see the Grub screen.
Press p for password and enter the password and press enter. (Contact Trustwave TAC for the bios password.)
Select the second line:

ro root=/dev/md2 quiet console=ttyS1,9600n8
Press e for edit.
Modify the line to read

ro root=/dev/md2 single
Press enter, and then b for boot.
This should boot the system up in single user mode.
You can then change the password using the following command:

passwd
Once you have successfully changed the password you can then reboot the appliance by issuing the following command:

reboot

Disabling Simulation Mode on multiple policies

Piotr Dłubisz — Mon, 10 Oct 2016 04:55:31 GMT

This article applies to:

Webdefend 7.6

Question:

How can I disable Simulation Mode on multiple policies in Policy Manager?

Procedure:

Log in to Trustwave WAF Console
Navigate to Policy Manager
Select the policy you want to change
In the Filter By Action pane
- Unselect "All"
- Select Prevention Mode "Simulated"
- Click Apply
Right click the policy name and select "Update Actions for Multiple Events"
Uncheck "Simulation Mode" and then click OK.

Exporting certificates (including intermediate certificates) from IIS for WAF import

Andrew Davies — Tue, 19 Jan 2016 14:02:47 GMT

This article applies to:

WAF (WebDefend) 6.X
WAF (WebDefend) 7.X

Question:

How do I export certificates from an IIS server for import to WebDefend?
I need the export to include intermediate certificates.

Procedure:

Note: You can only use this procedure if the certificate Private Key was marked as "Exportable" in IIS.

On the IIS server, click Start -> Run
Type mmc and then click OK
In the Microsoft Management Console (MMC), click File -> Add/Remove Snap-in…
Select Certificates and then click Add
Select Computer Account, and then click Next
Select Local Computer and then click Finish
On the Add/Remove Snap-ins window, click OK.
- You will see the Certificates Snap-In in the MMC menu tree.
Expand the Certificates tree and find the certificate of your website (usually under Certificates -> Personal -> Certificates)
Right click your certificate and click All Tasks -> Export
The Certificate Export Wizard opens. Click Next
Select Yes, export the private key and click Next
Select Personal Information Exchange – PKCS #12 (.PFX)
Select include all certificates… to include the intermediate certificates.
Enter a the password to secure the exported .pfx certificate file.
Pick a location to save the exported .pfx certificate file, and then click -> Save -> Finish

Information to gather when a WAF disk drive is suspected to have failed

Andrew Davies — Tue, 19 Jan 2016 13:56:28 GMT

This article applies to:

WAF 6.x
WAF 7.x

Question:

What information do I need to gather when a WAF disk drive is not functioning correctly?

Information:

When you have an issue with a disk (led is blinking, corrupted data) please deliver the results of the following commands to support or the RMA team:

# rpm -q bwd

# df -hl

# cat /proc/mdstat

# ll /dev/disk/by-id

# dmidecode --s system-serial-number

If the serial number is 0123456789 you will need to physically look for the serial number on top of the appliance

# In Main Menu in bgoperator 3, 6, 1 network settings

Expected output:

The text below shows samples of the expected output of the above commands.

[root@waf31c ~]# rpm -q bwd

bwd-9.03.112-1.x86_64

[root@waf31c ~]# df -hl

Filesystem Size Used Avail Use% Mounted on/dev/md2 9.7G 2.3G 6.9G 25% /tmpfs 3.9G 0 3.9G 0% /dev/shm/dev/md0 122M 24M 92M 1% /boot/dev/md3 251M 11M 228M 5% /meta/dev/md4 205G 7.3G 187G 4% /opt/dev/sda3 9.5G 151M 8.9G 2% /sys-a/dev/sdb3 9.5G 151M 8.9G 2% /sys-btmpfs 64M 0 64M 0% /tmp/ha

[root@waf31c ~]# cat /proc/mdstat

Personalities : [raid1]md0 : active raid1 sdb1[1] sda1[0](F)128448 blocks super 1.0 [2/1] [_U]md4 : active raid1 sdb7[1] sda7[2](F)221222976 blocks [2/1] [_U]md3 : active raid1 sda6[0](F) sdb6[1]264768 blocks super 1.1 [2/1] [_U]md2 : active raid1 sda2[0](F) sdb2[1]10233152 blocks super 1.1 [2/1] [_U]bitmap: 1/1 pages [4KB], 65536KB chunkmd1 : active raid1 sda5[0](F) sdb5[1]2095360 blocks super 1.1 [2/1] [_U]unused devices: <none>

[root@waf31c ~]# ll /dev/disk/by-id

total 0lrwxrwxrwx 1 root root 9 Feb 4 08:46 ata-ST3250310NS_9SF0KLR4 -> ../../sdblrwxrwxrwx 1 root root 10 Feb 4 08:46 ata-ST3250310NS_9SF0KLR4-part1 -> ../../sdb1lrwxrwxrwx 1 root root 10 Feb 4 08:46 ata-ST3250310NS_9SF0KLR4-part2 -> ../../sdb2lrwxrwxrwx 1 root root 10 Feb 4 08:46 ata-ST3250310NS_9SF0KLR4-part3 -> ../../sdb3lrwxrwxrwx 1 root root 10 Feb 4 08:46 ata-ST3250310NS_9SF0KLR4-part4 -> ../../sdb4lrwxrwxrwx 1 root root 10 Feb 4 08:46 ata-ST3250310NS_9SF0KLR4-part5 -> ../../sdb5lrwxrwxrwx 1 root root 10 Feb 4 08:46 ata-ST3250310NS_9SF0KLR4-part6 -> ../../sdb6lrwxrwxrwx 1 root root 10 Feb 4 08:46 ata-ST3250310NS_9SF0KLR4-part7 -> ../../sdb7lrwxrwxrwx 1 root root  9 Feb 4 08:46 ata-ST3250310NS_9SF0MBTX -> ../../sdalrwxrwxrwx 1 root root 10 Feb 4 08:46 ata-ST3250310NS_9SF0MBTX-part1 -> ../../sda1lrwxrwxrwx 1 root root 10 Feb 4 08:46 ata-ST3250310NS_9SF0MBTX-part2 -> ../../sda2lrwxrwxrwx 1 root root 10 Feb 4 08:46 ata-ST3250310NS_9SF0MBTX-part3 -> ../../sda3lrwxrwxrwx 1 root root 10 Feb 4 08:46 ata-ST3250310NS_9SF0MBTX-part4 -> ../../sda4lrwxrwxrwx 1 root root 10 Feb 4 08:46 ata-ST3250310NS_9SF0MBTX-part5 -> ../../sda5lrwxrwxrwx 1 root root 10 Feb 4 08:46 ata-ST3250310NS_9SF0MBTX-part6 -> ../../sda6lrwxrwxrwx 1 root root 10 Feb 4 08:46 ata-ST3250310NS_9SF0MBTX-part7 -> ../../sda7lrwxrwxrwx 1 root root  9 Feb 4 08:46 md-name-waf31c:0 -> ../../md0lrwxrwxrwx 1 root root  9 Feb 4 03:46 md-name-waf31c:1 -> ../../md1lrwxrwxrwx 1 root root  9 Feb 4 08:46 md-name-waf31c:2 -> ../../md2lrwxrwxrwx 1 root root  9 Feb 8 03:00 md-name-waf31c:3 -> ../../md3lrwxrwxrwx 1 root root  9 Feb 4 03:46 md-uuid-12198bbc:3ec91bc8:b2010931:c581b7f6 -> ../../md1lrwxrwxrwx 1 root root  9 Feb 8 03:00 md-uuid-77fd604f:f87dbab6:20a6910c:7918f093 -> ../../md3lrwxrwxrwx 1 root root  9 Feb 4 08:46 md-uuid-84e8994b:f534f554:54f6b785:dc90e134 -> ../../md2lrwxrwxrwx 1 root root  9 Feb 8 03:00 md-uuid-9c7dec9d:176c3fdd:18d80d8f:56da7de0 -> ../../md4lrwxrwxrwx 1 root root  9 Feb 4 08:46 md-uuid-eb30d58f:8af9dca6:2e13a776:ae3e9df8 -> ../../md0lrwxrwxrwx 1 root root  9 Feb 4 08:46 scsi-SATA_ST3250310NS_9SF0KLR4 -> ../../sdblrwxrwxrwx 1 root root 10 Feb 4 08:46 scsi-SATA_ST3250310NS_9SF0KLR4-part1 -> ../../sdb1lrwxrwxrwx 1 root root 10 Feb 4 08:46 scsi-SATA_ST3250310NS_9SF0KLR4-part2 -> ../../sdb2lrwxrwxrwx 1 root root 10 Feb 4 08:46 scsi-SATA_ST3250310NS_9SF0KLR4-part3 -> ../../sdb3lrwxrwxrwx 1 root root 10 Feb 4 08:46 scsi-SATA_ST3250310NS_9SF0KLR4-part4 -> ../../sdb4lrwxrwxrwx 1 root root 10 Feb 4 08:46 scsi-SATA_ST3250310NS_9SF0KLR4-part5 -> ../../sdb5lrwxrwxrwx 1 root root 10 Feb 4 08:46 scsi-SATA_ST3250310NS_9SF0KLR4-part6 -> ../../sdb6lrwxrwxrwx 1 root root 10 Feb 4 08:46 scsi-SATA_ST3250310NS_9SF0KLR4-part7 -> ../../sdb7lrwxrwxrwx 1 root root  9 Feb 4 08:46 scsi-SATA_ST3250310NS_9SF0MBTX -> ../../sdalrwxrwxrwx 1 root root 10 Feb 4 08:46 scsi-SATA_ST3250310NS_9SF0MBTX-part1 -> ../../sda1lrwxrwxrwx 1 root root 10 Feb 4 08:46 scsi-SATA_ST3250310NS_9SF0MBTX-part2 -> ../../sda2lrwxrwxrwx 1 root root 10 Feb 4 08:46 scsi-SATA_ST3250310NS_9SF0MBTX-part3 -> ../../sda3lrwxrwxrwx 1 root root 10 Feb 4 08:46 scsi-SATA_ST3250310NS_9SF0MBTX-part4 -> ../../sda4lrwxrwxrwx 1 root root 10 Feb 4 08:46 scsi-SATA_ST3250310NS_9SF0MBTX-part5 -> ../../sda5lrwxrwxrwx 1 root root 10 Feb 4 08:46 scsi-SATA_ST3250310NS_9SF0MBTX-part6 -> ../../sda6lrwxrwxrwx 1 root root 10 Feb 4 08:46 scsi-SATA_ST3250310NS_9SF0MBTX-part7 -> ../../sda7lrwxrwxrwx 1 root root  9 Feb 4 08:46 wwn-0x5000c5001058e3ca -> ../../sdalrwxrwxrwx 1 root root 10 Feb 4 08:46 wwn-0x5000c5001058e3ca-part1 -> ../../sda1lrwxrwxrwx 1 root root 10 Feb 4 08:46 wwn-0x5000c5001058e3ca-part2 -> ../../sda2lrwxrwxrwx 1 root root 10 Feb 4 08:46 wwn-0x5000c5001058e3ca-part3 -> ../../sda3lrwxrwxrwx 1 root root 10 Feb 4 08:46 wwn-0x5000c5001058e3ca-part4 -> ../../sda4lrwxrwxrwx 1 root root 10 Feb 4 08:46 wwn-0x5000c5001058e3ca-part5 -> ../../sda5lrwxrwxrwx 1 root root 10 Feb 4 08:46 wwn-0x5000c5001058e3ca-part6 -> ../../sda6lrwxrwxrwx 1 root root 10 Feb 4 08:46 wwn-0x5000c5001058e3ca-part7 -> ../../sda7lrwxrwxrwx 1 root root  9 Feb 4 08:46 wwn-0x5000c5001063e3cf -> ../../sdblrwxrwxrwx 1 root root 10 Feb 4 08:46 wwn-0x5000c5001063e3cf-part1 -> ../../sdb1lrwxrwxrwx 1 root root 10 Feb 4 08:46 wwn-0x5000c5001063e3cf-part2 -> ../../sdb2lrwxrwxrwx 1 root root 10 Feb 4 08:46 wwn-0x5000c5001063e3cf-part3 -> ../../sdb3lrwxrwxrwx 1 root root 10 Feb 4 08:46 wwn-0x5000c5001063e3cf-part4 -> ../../sdb4lrwxrwxrwx 1 root root 10 Feb 4 08:46 wwn-0x5000c5001063e3cf-part5 -> ../../sdb5lrwxrwxrwx 1 root root 10 Feb 4 08:46 wwn-0x5000c5001063e3cf-part6 -> ../../sdb6lrwxrwxrwx 1 root root 10 Feb 4 08:46 wwn-0x5000c5001063e3cf-part7 -> ../../sdb7

Adding licenses from the console

Andrew Davies — Tue, 19 Jan 2016 13:54:24 GMT

This article applies to:

WAF/WebDefend 5.x and above

Question:

Need to add or renew licenses

Procedure:

All WebDefend appliances must be appropriately licensed. If the WebDefend system includes one or more virtual WebDefend appliances, the system must be activated as well.

Licenses and activation are managed in the License Management window, which can be displayed by selecting the License Management option from the Tools menu.

(Tools > License Management - load license)

Notes:

This information is also found in the Getting Started and Users Guides.

Where to find WebDefend manuals

Andrew Davies — Tue, 19 Jan 2016 13:52:10 GMT

This article applies to:

WAF/WebDefend 5.x and above.

Question:

Where can I find the manuals for my installed WebDefend?

Reply:

If the WebDefend console is installed on a workstation, the manuals can be in the Trustwave console folder.
The manuals are also installed on the back end server. You can use WinSCP to connect. The path where manuals are stored is /opt/breach/bwd/installation/console

WebDefend default user names for GUI console and back end

Andrew Davies — Tue, 19 Jan 2016 13:50:02 GMT

This article applies to:

WAF/WebDefend 5.x

Question:

What are the default users created on a WebDefend system?

Reply:

The default Console user is bgadmin

Back end users are ha, bus, bgoperator, bgse, and su (root).

ha - high availability management
bus - upgrade management
bgse - special user - used for ssh login

Starting and stopping services from the Maintenance menu (bgoperator)

Andrew Davies — Tue, 19 Jan 2016 13:49:16 GMT

This article applies to:

WAF/WebDefend 5.x and up.

Question:

How do I stop or start services via the Maintenance tool?

Procedure:

Log in to the back end as user bgoperator.
From the Maintenance tool 1 Online Menu > 1 -- WebDefend System Commands Menu >

From this menu you can stop, start, or restart services.

------------------------------
WebDefend System Commands Menu
------------------------------
1 -- WebDefend System Status
2 -- Start WebDefend System
3 -- Stop WebDefend System
4 -- Restart WebDefend System
q -- Return to Previous Menu
? -- Help

Outlook Web Access and Outlook Anywhere Support

Andrew Davies — Tue, 19 Jan 2016 13:48:58 GMT

This article applies to:

All versions of WAF

Question:

Do you have any documented guidance for implementing Outlook Web Access or Outlook Anywhere (Outlook installed on a laptop with access over both the LAN and internet) with the WAF?

Information:

WAF can be used with Outlook Web Access (OWA), the website based application.
WAF does not currently support Outlook Anywhere. Outlook Anywhere uses Microsoft’s RPC over HTTP protocol, which is a very specific protocol that WAF does not currently process.
Trustwave is investigating adding support for the native Outlook-Exchange Server protocol when the appliance is configured for inline mode.

Syslog no longer working after upgrading to 7.0

Andrew Davies — Tue, 19 Jan 2016 13:47:49 GMT

This article applies to:

WAF 7.0

Symptoms:

Syslog server settings have not changed.
Since upgrading to version 7.0 we see the following error message:
Failed to set default Syslog configuration [1008] - Sending Syslog message failed

Information:

To resolve this issue:

Test whether any alerts are working (such as email alerts).
Test communication from WAF sensor to syslog server. Use the same protocol as in the site's settings. If it is UDP, check whether the message appears in the syslog server.

Workaround:

If connection is not successful, create a NAT IP address for the syslog server on the same subnet as the management IP and use that IP address to connect.

The syslog server is actually connected to the same subnet as the bridge IP. Using that IP does not work in version 7.0 (it did work in version 6.2).

Notes:

The described behavior is considered a bug. Trustwave plans to correct the problem in a forthcoming release of WAF.

After upgrading to 7.0, Manger drops sensor connectivity

Andrew Davies — Tue, 19 Jan 2016 13:46:59 GMT

This article applies to:

WebDefend 7.0
WebDefend 7.0 SP1

Question:

After upgrading to 7.0, we get numerous system events of manger and sensor connectivity lost.
After upgrading to 7.0, the WebDefend appliance is continuously locking up and requires a physical reboot.
There have been no network changes or unusual events.

Procedure:

To verify the issue, log in as root using PuTTY and enter the following command:

cd /opt/breach/bwd/logs

If you see numerous coredumps here this is likely to be due to a known issue with these versions.

The issue is that the online updates and reputation services cause WebDefend (7.0 or 70. SP1) to drop services. This can result in the appliance becoming unresponsive and requiring a physical reboot.

Resolution:

This issue is resolved by upgrading to version 7.0 SP2 and applying HF2.

Importing an export (restoring from backup)

Andrew Davies — Tue, 15 Dec 2015 13:08:58 GMT

This article applies to:

WAF 5.x and above.

Question:

How can I import backup configuration and data?

Procedure:

You perform the import using the Maintenance tool in bgoperator.

Use WinSCP to copy the backup to user bgse. The files will be in /home/bgse/pub
- For a standalone installation, copy both manager and sensor backups.
- For a manager only the manager backup is required.
- For a sensor only the sensor backup is required.
Once you have copied the backups to the /pub file, run bgoperator.
Select 2 offline menu, then 2 Import Export menu.
You will be asked to enter the file(s) paths. Enter these as absolute paths, for instance, /home/bgse/pub/managerbackup.tgz

---------Main Menu---------1 -- Online Menu2 -- Offline Menu3 -- System Menu? -- Help[1]>2 ------------Offline Menu------------1 -- Configuration Menu2 -- Import - Export Menu3 -- System Events Menu4 -- DB maintenance Menu5 -- License Management Menu6 -- Audit Log Menuq -- Return to Previous Menu? -- Help

Disabling SSLv3 to mitigate the CVE-2014-3566 (Poodle) vulnerability

Andrew Davies — Tue, 15 Dec 2015 13:07:00 GMT

This article applies to:

WebDefend 7.0 or higher

Question:

How can I disable SSLv3 on WebDefend?
How can I correct WebDefend configuration to protect against CVE-2014-3566 (Poodle)?

Procedure:

Note: This procedure applies only to Inline deployments and is not valid for management traffic.

For WebDefend version 7.0 and up:

Log in to the active node via SSH as bgse
Switch to root:

# su -
Stop WebDefend services.

# service all_services_init stop
Back up the existing gsp.conf file

# cp -p /opt/breach/bwd/conf/gsp.conf /opt/breach/bwd/conf/gsp.conf.ssl
Edit the gsp.conf file:

# vi /opt/breach/bwd/conf/gsp.conf
Add the following line in the [GSP_GENERAL] section:

IL_DEFAULT_SSL_PROTOCOL = TLSv1|TLSv1.1|TLSv1.2

For example, change:

[GSP_GENERAL]
GSP_NAME = TEST

to:

[GSP_GENERAL]
GSP_NAME = TEST
IL_DEFAULT_SSL_PROTOCOL = TLSv1|TLSv1.1|TLSv1.2
Save the file
Start WebDefend services:

# service all_services_init start

For other versions of WebDefend:

In point 6 of the above

procedure, do not set IL_DEFAULT_SSL_PROTOCOL
Instead, for each site add the following lines in gsp.conf

IL_CLIENT_SSL_PROTOCOLS= TLSv1|TLSv1.1|TLSv1.2
IL_SERVER_SSL_PROTOCOLS= TLSv1|TLSv1.1|TLSv1.2

Disabling SSLv3 and RC4 ciphers in Inline deployment

Piotr Dłubisz — Fri, 11 Sep 2015 05:29:17 GMT

This article applies to:

WebDefend 7.1 or higher

Question:

How can I disable SSLv3 and RC4 ciphers in inline deployment?

Procedure:

Log in to the active node via SSH as bgse
Switch to root:

# su -
Stop WebDefend services:

# service all_services_init stop
Back up the existing gsp.conf file.

# cp -p /opt/breach/bwd/conf/gsp.conf /opt/breach/bwd/conf/gsp.conf.ssl
Check your current configuration:

# grep IL_ /opt/breach/bwd/conf/gsp.conf
If in the output you see entries starting with IL_CLIENT_SSL_CIPHERS or IL_SERVER_SSL_CIPHERS
- Remove the lines starting with IL_CLIENT_SSL_CIPHERS and IL_SERVER_SSL_CIPHERS from the gsp.conf file.
If in the output you see entries starting with IL_DEFAULT_SSL_PROTOCOL and IL_DEFAULT_SSL_CIPHERS
- See the steps below and edit the lines in the gsp.conf file to match the information shown.
Edit the gsp.conf file:

# vi /opt/breach/bwd/conf/gsp.conf

Add the following lines in the [GSP_GENERAL] section:

IL_DEFAULT_SSL_PROTOCOL = TLSv1|TLSv1.1|TLSv1.2IL_DEFAULT_SSL_CIPHERS = EECDH+aRSA+AES:+aRSA+CBC:+aRSA+AES256:EECDH+aRSA+3DES:RSA+3DES:RSA+AES:!SSLv2:!EXPORT:!LOW

For example change:

[GSP_GENERAL]GSP_NAME = TEST

to:

[GSP_GENERAL]GSP_NAME = TESTIL_DEFAULT_SSL_PROTOCOL = TLSv1|TLSv1.1|TLSv1.2IL_DEFAULT_SSL_CIPHERS = EECDH+aRSA+AES:+aRSA+CBC:+aRSA+AES256:EECDH+aRSA+3DES:RSA+3DES:RSA+AES:!SSLv2:!EXPORT:!LOW

Save the file and start webdefend services:

# service all_services_init start

If you notice any problems with starting services after making the changes above, revert the changes

# service all_services_init stop# cp -p /opt/breach/bwd/conf/gsp.conf.ssl /opt/breach/bwd/conf/gsp.conf# service all_services_init start

Do hotfixes have to be applied to both Sensors in a High Availability pair?

Andrew Davies — Wed, 09 Sep 2015 17:06:24 GMT

This article applies to:

WAF 7.0
WAF 7.1
WAF 7.5

Question:

Do hotfixes have to be applied to both Sensors in a High Availability (HA) pair?

Reply:

In most cases you do not have to take special action in a HA environment.

The hotfixes normally reside in the opt partition. In this case, when you apply them to the Active Sensor, they will automatically apply to the other Sensor when the WAF fails over.

Configuring WAF to use | as delimiter instead of in syslog messages

Piotr Dłubisz — Thu, 23 Jul 2015 03:01:05 GMT

This article applies to:

WebDefend (WAF) 7.1 or higher

Question:

How can I configure WAF to use | as delimiter instead of the text <PIPE> in syslog messages?

Procedure:

Log in to WebDefend via ssh as bgse user.
Switch to root:

# su -
Stop WebDefend services:

# service all_services_init stop
Make a backup of the gsp.conf file:

# cp -p /opt/breach/bwd/conf/gsp.conf /opt/breach/bwd/conf/gsp.conf.pipe
Edit the gsp.conf file:

# vi /opt/breach/bwd/conf/gsp.conf
Add the following line in the [GSP_GENERAL] section:

SYSLOG_PIPE_ESCAPING = false

The section should appear similar to the following (depending on other settings):

[GSP_GENERAL]
GSP_NAME = TEST
IL_DEFAULT_SSL_PROTOCOL = TLSv1|TLSv1.1|TLSv1.2
SYSLOG_PIPE_ESCAPING = false
Start WebDefend services:

# service all_services_init start

Example log line before the change:

Jul 21 14:23:25 10.92.208.197 Jul 21 07:00:01 10.92.208.197 TRUSTWAVE_WAF<PIPE>Name:System command injection - Pattern: [cmd.exe]<PIPE>Result_CAT:Attempt<PIPE>Severity:5<PIPE>Source:10.244.1.166<PIPE>Country:N/A<PIPE>Country_ID:--<PIPE>Site:WWW.WARSAW.LOCAL<PIPE>Host:www.warsaw.local<PIPE>URL:/<PIPE>Method:POST<PIPE>Query: <PIPE>Status:200<PIPE>Entry_Type:58823<PIPE>Exit_Type:0<PIPE>Exit_Event: <PIPE>

Example log line after the change:

Jul 21 16:29:41 10.92.208.197 Jul 21 09:06:18 10.92.208.197 TRUSTWAVE_WAF|Name:System command injection - Pattern: [cmd.exe]|Result_CAT:Attempt|Severity:5|Source:10.244.1.166|Country:N/A|Country_ID:--|Site:WWW.WARSAW.LOCAL|Host:www.warsaw.local|URL:/|Method:POST|Query: |Status:200|Entry_Type:58823|Exit_Type:0|Exit_Event: |

Configuring multiple reverse proxy IPs in Amazon Machine Images (AMI)

Andrew Davies — Mon, 01 Jun 2015 12:46:17 GMT

This article applies to:

WAF 7 SP1
WAF 7.1

Question:

What are the steps for the initial configuration for a Manager and a Sensor?
Where do I set the management IP?
How can I configure MULTIPLE reverse proxy IPs in Amazon Machine Images (AMI)?

Information:

When you configure the NICs for the WAF, you create ENIs (Elastic network interfaces).

One ENI is required for management and at least one ENI for Web traffic.

Each ENI can hold multiple secondary private IP addresses.

The number of ENIs per instance and max number of private IP addresses per ENI depends on the instance type and can be found in Amazon documentation:

Private IP Addresses Per ENI Per Instance Type

Each ENI private IP address can be linked to an Elastic IP address (public IP). More details in Amazon documentation:

Associating an Elastic IP Address with the Secondary Private IP Address.

Remember that when you define a site at the WAF console, you always use the private IP addresses.

The WAF is not aware of the site's public IP addresses.

Assigning a secondary private IP address

To assign a secondary private IP address when launching an instance in EC2-VPC (Note: these instructions are taken from Amazon documentation on Multiple Private IP Addresses)

Open the Amazon EC2 console.
Click the Launch Instance button.
Choose an AMI and click its Select button, then choose an instance type and click Next: Configure Instance Details.
On the Configure Instance Details page, choose a VPC from the Network list, and a subnet from the Subnet list.
In the Network Interfaces section, click Add Device to add another network interface. The console enables you specify up to 2 network interfaces when you launch an instance.
1. After you launch the instance, click Network Interfaces in the navigation pane to add additional network interfaces. The total number of network interfaces that you can attach varies by instance type. For more information, see Private IP Addresses Per ENI Per Instance Type.
2. For each network interface, you can specify a primary private IP address, and one or more secondary private IP addresses. Normally, accept the IP address that is automatically assigned.
3. Under Secondary IP addresses, click Add IP, and then enter a private IP address in the subnet range, or accept the default, Auto-assign.
  - Important: After you have added a secondary private IP address to a network interface, you must connect to the instance and configure the secondary private IP address on the instance itself. For more information, see Configuring the Operating System on Your Instance to Recognize the Secondary Private IP Address.
4. Click Next: Add Storage.
On the Add Storage page, you can specify volumes to attach to the instance in addition to the volumes specified by the AMI (such as the root device volume), and then click Next: Tag Instance.
On the Tag Instance page, specify tags for the instance, such as a user-friendly name, and then click Next: Configure Security Group.
On the Configure Security Group page, select an existing security group or create a new one. Click Review and Launch.
On the Review Instance Launch page, review your settings, and then click Launch to choose a key pair and launch your instance. If you do not have any existing EC2 key pairs, the wizard prompts you to create one.