x-bluecoat-waf-block-details Therefore you will not be able to see what encoding is triggering the multiple_encoding action. For example if you add a cookie to the request with the following value:
and are in monitor only mode for WAFS then the x-bluecoat-waf-monitor-details field will display the following unencoded value:
By default these logs are present but no values because you need to enable them via policy gestures:
This is the rule which triggers multiple encoding.
The (auto) option expands to the following normalization setting:
So with the above example what does this mean. We know the cookie header is triggering the multiple_encoding so this applies:
So multiple encoding means if encoded more than once it will trigger multiple_encoding since we are only expecting the value to be encoded the once due to the presence of a single:
So that means if you see %25 in the cookie header then we will block the request since we are expecting a "%".