Attack Detection failure-limits are exceeded very frequently


Article ID: 168276


Updated On:


Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


Clients are often placed on the attack-detection block list due to high failure limits.


Starting with SGOS 6.5.x, any HTTP response with 4XX (except 401 and 407) and 5XX will be considered a failure. This count will be increased for any policy_denied request which is actually an HTTP Response code of 403.


The solution for this is to avoid counting 403 as a failure OR keep a higher failure limit in the attack-detection configuration. The sample policy below bypasses 403 as a failure count.

http.response.code=403 attack_detection.failure_weight(0) ;This rule disables attack detection when the proxy receives a 403 HTTP message from the destination server.

<exception> attack_detection.failure_weight(0) ;This rule
disables attack detection for the requests where the proxy will send the policy denied exception.

Note: If a user defined exception is being used instead of the default policy denied exception, you must replace the exception id "policy_denied" with the following: "user_defined.exception_name" where exception_name is the name of the desired custom exception.