Jump to content


Photo

Log Action Blocked But Mode Passive


  • Please log in to reply
No replies to this topic

#1 Gaurav Grover

Gaurav Grover
  • Members
  • 1 posts

Posted 02 April 2019 - 05:31 PM

Hi,

We've been analyzing an issue where we saw multiple 503s logged at the barracuda level. At the same time the end point that it was invoking was not throwing any 500s. The barracuda configuration is set to be passive however in the logs, the action is stated as blocked. Below is an example

Apr 2 19:04:07 DestinationIP 2019-04-02 12:04:07.156 -0700 WAFName TR DestinationIP DestPort ProxyIP ProxyPort "-" "-" GET TLSv1.2 ServiceDNSName HTTP/1.1 503 494 785 SERVER DEFAULT PASSIVE VALID uripath ProxyIP ProxyPort 2

 

The logs are captured in splunk and one of the above values is mapped to 503 & Blocked.