[AF] Configure WAF policy after 8035 to prevent Policies brute Brute-force attack protection, use xhack to simulate the attack and show that the attack is successful
Problem Description
In AF8.0.35, after configuring the password Brute-force attack protection protection Medium the Web App Firewall Policies, the xhack tool is used to simulate the attack detection, which shows that the attack is successful, but no attack log is seen on AF.
Effective troubleshooting steps
- Confirm the customer's Network topology and make sure the data is AF
- Check the device Policies and make sure it is configured correctly. For the configuration of Brute-force attack protection Policies in WAF, please refer to the link: Configuration example of password brute force cracking and weak password detection rules after 8035
- Check the device Whitelist, direct access, and WAF exclusion Policies to make sure none of them are added
- After R&D assistance and analysis, the xhack tool used the same account and password Brute-force attack protection the password of the waf Policies. The attack was repeated multiple times without changing the password. In this case, the device policy cannot be triggered. Different accounts or different passwords are required.
- Using different accounts and passwords to simulate brute force attacks is normal
Root cause
The xhack tool uses the same account and password for multiple attacks without changing the password. The password Brute-force attack protection in the WAF Policies Medium AF needs to be triggered by continuous attacks with different accounts or different passwords.
solution
Use different accounts and passwords to perform brute force attacks. The interception is normal and Logs can be generated normally.
Original Link
https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=1407&isOpen=true