Modify the WAF Policy to Resolve an App Issue

  1. In Firefox, open a new tab, then click the Arcadia Finance (N+) bookmark or navigate to
  1. You should see a partially blank page load as shown below.
  1. Now, click on the Arcadia Finance (DIY) bookmark or navigate to
  1. Notice that this page includes more images than the Arcadia Finance (N+) page.
  1. Load the Arcadia Finance (N+) bookmark again. Right-click in the middle of the white space in the browser where the banner image should have loaded. Click Open Image in New Tab on the context menu that appears.
  1. Click on the Custom Reject Page that loads in the new tab.
  1. You should see the custom reject page as shown below:
  1. NGINX App Protect redirected us to this page. Notice that a support ID is generated when the page loads. You can use this ID to identify the cause of the image block. Select and copy this value so that you can search for it in NMS-SM.
  1. Return to NMS and navigate to Security Monitoring by clicking the drop-down in the top left of the screen and selecting Security Monitoring.
  1. You’ll be presented with the Security Monitoring landing page, as shown below:
  1. On the left menu, select Support ID Details.
  1. You’ll be prompted for your support ID.
  1. Enter your support ID into the search field and click the arrow to search.


At anytime in this lab you encounter a support ID, feel free to return to this tool to look at the details of the attack and mitigation.

  1. Once the security event has loaded, you can see details surrounding the violation that is blocking images on your app.
  1. Notice that the image URI is listed as /images/slider/slide-3.jpg.
  1. If you scroll down to the Attack Details section, you can expand the individual sections showing Violations, Sub-violations, CVEs, and Threat Campaigns.
../../../_images/NMS-SM_support_id_attack_details_collapsed.png ../../../_images/NMS-SM_support_id_attack_details.png
  1. Notice that the Violations section shows a single violation: Illegal File Type.
  1. You need to allow JPG files to enable the application to operate properly by modifying the WAF policy. Start that process by navigating back to Instance Manager from the Select module drop-down at the top of the left menu bar.
  1. Inside of the Instance Manager dashboard, click on App Protect towards the bottom of the left menu bar.
  1. Click on the AgilityPolicy in the policy list.
  1. Now, click on the Policy Versions tab inside of the Policy Detail page.
  1. Click on the version name under the Versions column in the list.
  1. The JSON configuration of the policy will be displayed, as shown below:
  1. To modify the policy based on this version of the policy, click Edit Version.
  1. Provide a description of the changes you’ll be making in the Description field.
  1. Place your mouse cursor inside the policy editor. Press CTRL+F to open the search dialog.
  1. Search for “jpg” and you’ll find on line 240 that JPG files are not being allowed. Modify line 241 to change "allowed": false to "allowed": true. Note that false and true are not encapsulated in quotation marks.
  1. Click the Save New Version button to create a new version of the policy.
  1. You will see confirmation that the new version has been created.
  1. Click on the policy name at the top of the screen.
  1. Select the Policy Versions tab.
  1. Notice the new policy version is now listed.
  1. Return to the the Instances and Instance Groups tab.
  1. Now click on the Assign Policy and Signature Versions button above the instance list.
  1. Notice that the version listed in the Policy Version column is in a drop-down box. You may need to hover your mouse arrow over this section to see the drop-down appear.
  1. Change this to your newer version (compare timestamps) and click Publish.
  1. A pop-up will confirm that you have changed the version.
  1. Click X to close the confirmation window.
  1. Click Cancel to close the assignment window.
  1. On the top of the left menu bar, click Instances.
  1. Select the nginx-plus-1 instance from the list.
  1. Look for the deployment status in the Last Deployment Details section. You should see a status of Finalized. If not, wait a few moments for the deployment to commence and complete. You may need to refresh your browser for the status to update.

Deployment not finished


Deployment finished

  1. Once the deployment has finished, check the site to see if the issue is remediated. In a new tab in Firefox, open a new tab and click on the Arcadia Finance (N+) bookmark. Notice that the images are now loading successfully.


If images do not load, press CTRL + Shift + R to force the browser to fully reload the page.


Now that you have viewed, diagnosed and remedied a false positive in a WAF policy, continue to the next section of the lab.