Diagram:
WAD Debug:
First, it is necessary to collect the debug logs and check which process is handling the interesting traffic (traffic hitting the firewall policy ID 26). In this case, it is PID 11340, as seen below. The output is very similar to the one shown here, which is why it was partially omitted. The focus of this article is the load-balancing mechanism.
DSRSD_FW # diagnose wad filter vd root DSRSD_FW # diagnose wad filter firewall-policy 26 DSRSD_FW # diagnose debug console timestamp enable DSRSD_FW # diagnose wad debug enable all DSRSD_FW # diagnose wad debug display pid enable DSRSD_FW # diagnose wad debug enable level verbose DSRSD_FW # diagnose debug enable
Load Balancing based on HTTP Host.
[I]2024-09-02 15:06:20.975824 [p:11340][s:467757][r:3] wad_dump_http_request :2634 hreq=0x7f9cf0c048 Received request from client: 85.245.105.249:46864
GET / HTTP/1.1 Host: wss.dsrsd.pt:8444 sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" upgrade-insecure-requests: 1 user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 sec-fetch-site: none sec-fetch-mode: navigate sec-fetch-user: ?1 sec-fetch-dest: document accept-encoding: gzip, deflate, br, zstd accept-language: en-US,en;q=0.9 priority: u=0, i
[V]2024-09-02 15:06:20.975859 [p:11340][s:467757][r:3] wad_http_marker_uri :1272 path=/ len=1 [V]2024-09-02 15:06:20.975873 [p:11340][s:467757][r:3] wad_http_parse_host :1651 host_len=17 <-- (wss.dsrsd.pt:8444) [V]2024-09-02 15:06:20.975883 [p:11340][s:467757][r:3] wad_http_parse_host :1687 len=12 <-- (wss.dsrsd.pt) [V]2024-09-02 15:06:20.975892 [p:11340][s:467757][r:3] wad_http_parse_host :1696 len=4 <-- (8444) [I]2024-09-02 15:06:20.975908 [p:11340][s:467757][r:3] wad_http_str_canonicalize :2198 enc=0 path=/ len=1 changes=0 [V]2024-09-02 15:06:20.975919 [p:11340][s:467757][r:3] wad_http_normalize_uri :2305 host_len=12 path_len=1 query_len=0 [I]2024-09-02 15:06:20.975929 [p:11340][s:467757][r:3] wad_http_req_detect_special :15166 captive_portal detected: false, preflight=(null)
[I]2024-09-02 15:06:20.975943 [p:11340][s:467757][r:3] wad_http_vs_check_dst_ovrd :1193 2:DSRSD_VS:0: trying to find server for addr(192.168.20.18:443), ldb(6) [I]2024-09-02 15:06:20.975961 [p:11340][s:467757][r:3] wad_http_vs_check_dst_ovrd :1215 2:DSRSD_VS:0: kernel choose the correct server, keep using original dst 192.168.20.18 [I]2024-09-02 15:06:20.975972 [p:11340][s:467757][r:3] wad_http_vs_check_dst_ovrd :1223 2:DSRSD_VS:0: found server: 192.168.20.18:443 [V]2024-09-02 15:06:20.975986 [p:11340][s:467757][r:3] wad_http_req_exec_act :13686 dst_addr_type=1 wc_nontp=0 sec_web=1 web_cache=0 req_bypass=1 [I]2024-09-02 15:06:20.976008 [p:11340][s:467757][r:3] wad_http_urlfilter_check :383 uri_norm=1 inval_host=0 inval_url=0 scan-hdr/body=1/0 url local=0 block=0 user-cat=0 allow=0 ftgd=0 keyword=0 wisp=0 [I]2024-09-02 15:06:20.976023 [p:11340][s:467757][r:3] wad_http_req_proc_waf :1309 req=0x7f9cf0c048 ssl.deep_scan=0 proto=10 exempt=0 waf=(nil) body_len=18446744073709551615 ua=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 skip_scan=0 [V]2024-09-02 15:06:20.976036 [p:11340][s:467757][r:3] wad_http_req_proc_antiphish :8383 No profile [V]2024-09-02 15:06:20.976045 [p:11340][s:467757][r:3] wad_http_parse_auth_cookie :1306 cookie_parsed=0 strip=2 pid=11340 [V]2024-09-02 15:06:20.976064 [p:11340][s:467757][r:3] wad_http_session_disconn_srv :1677 hcs=0x7f9de96938 http_svr=(nil)
[I]2024-09-02 15:06:20.976074 [p:11340][s:467757][r:3] wad_http_connect_srv :260 http ses=0x7f9de96938 req=0x7f9cf0c048 ses_ctx=0x7f9ddf8bf8 nontp(0) dst_type(1) req: dst:192.168.20.18:443, proto:10) connect svr orig 85.245.105.249:46864->144.64.146.208:8444 out 85.245.105.249:0->192.168.20.18:443 [V]2024-09-02 15:06:20.976096 [p:11340][s:467757][r:3] wad_http_connect_srv :281 [0x7f9cf0c048] Connect to server: :0/192.168.20.18:443
[I]2024-09-02 15:06:32.202424 [p:11340][s:467800][r:4] wad_dump_http_request :2634 hreq=0x7f9acb5048 Received request from client: 85.245.105.249:33170
GET / HTTP/1.1 Host: fgt.dsrsd.pt:8444 sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" upgrade-insecure-requests: 1 user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 sec-fetch-site: none sec-fetch-mode: navigate sec-fetch-user: ?1 sec-fetch-dest: document accept-encoding: gzip, deflate, br, zstd accept-language: en-US,en;q=0.9 priority: u=0, i
[V]2024-09-02 15:06:32.202458 [p:11340][s:467800][r:4] wad_http_marker_uri :1272 path=/ len=1 [V]2024-09-02 15:06:32.202472 [p:11340][s:467800][r:4] wad_http_parse_host :1651 host_len=17 <-- (fgt.dsrsd.pt:8444). [V]2024-09-02 15:06:32.202482 [p:11340][s:467800][r:4] wad_http_parse_host :1687 len=12 <-- (fgt.dsrsd.pt). [V]2024-09-02 15:06:32.202491 [p:11340][s:467800][r:4] wad_http_parse_host :1696 len=4 <-- (8444), [I]2024-09-02 15:06:32.202507 [p:11340][s:467800][r:4] wad_http_str_canonicalize :2198 enc=0 path=/ len=1 changes=0 [V]2024-09-02 15:06:32.202517 [p:11340][s:467800][r:4] wad_http_normalize_uri :2305 host_len=12 path_len=1 query_len=0 [I]2024-09-02 15:06:32.202527 [p:11340][s:467800][r:4] wad_http_req_detect_special :15166 captive_portal detected: false, preflight=(null)
[I]2024-09-02 15:06:32.202542 [p:11340][s:467800][r:4] wad_http_vs_check_dst_ovrd :1193 2:DSRSD_VS:0: trying to find server for addr(192.168.20.18:443), ldb(6) [I]2024-09-02 15:06:32.202560 [p:11340][s:467800][r:4] wad_http_vs_check_dst_ovrd :1215 2:DSRSD_VS:0: kernel choose the correct server, keep using original dst 192.168.20.18 [I]2024-09-02 15:06:32.202572 [p:11340][s:467800][r:4] wad_http_vs_check_dst_ovrd :1223 2:DSRSD_VS:0: found server: 192.168.20.18:443 [V]2024-09-02 15:06:32.202585 [p:11340][s:467800][r:4] wad_http_req_exec_act :13686 dst_addr_type=1 wc_nontp=0 sec_web=1 web_cache=0 req_bypass=1 [I]2024-09-02 15:06:32.202608 [p:11340][s:467800][r:4] wad_http_urlfilter_check :383 uri_norm=1 inval_host=0 inval_url=0 scan-hdr/body=1/0 url local=0 block=0 user-cat=0 allow=0 ftgd=0 keyword=0 wisp=0 [I]2024-09-02 15:06:32.202624 [p:11340][s:467800][r:4] wad_http_req_proc_waf :1309 req=0x7f9acb5048 ssl.deep_scan=0 proto=10 exempt=0 waf=(nil) body_len=18446744073709551615 ua=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 skip_scan=0 [V]2024-09-02 15:06:32.202652 [p:11340][s:467800][r:4] wad_http_req_proc_antiphish :8383 No profile [V]2024-09-02 15:06:32.202662 [p:11340][s:467800][r:4] wad_http_parse_auth_cookie :1306 cookie_parsed=0 strip=2 pid=11340 [V]2024-09-02 15:06:32.202681 [p:11340][s:467800][r:4] wad_http_session_disconn_srv :1677 hcs=0x7f9de96d40 http_svr=(nil)
[I]2024-09-02 15:06:32.202691 [p:11340][s:467800][r:4] wad_http_connect_srv :260 http ses=0x7f9de96d40 req=0x7f9acb5048 ses_ctx=0x7f9ddf9fd8 nontp(0) dst_type(1) req: dst:192.168.20.18:443, proto:10) connect svr orig 85.245.105.249:33170->144.64.146.208:8444 out 85.245.105.249:0->192.168.20.18:443
[V]2024-09-02 15:06:32.202714 [p:11340][s:467800][r:4] wad_http_connect_srv :281 [0x7f9acb5048] Connect to server: :0/192.168.20.18:443
Now, with all of this information, it is possible to analyze the WAD debug more easily.
|