Cannot update WAF rules

  • Resolved qtrinh2

    (@qtrinh2)


    2 years, 10 months ago

    Hello,

    I can no longer update the WAF rules, when I try to manually update them it suggests to ensure my wp-content/wflogs is writeable.

    I’ve already tried these suggestions I’ve found on this support forum:

    1. Deleting and regenerating wflogs directory
    2. Enforcing 0777 permissions of wflogs directory and ensuring process owner can traverse to directory. (used WFWAF_LOG_FILE_MODE constant)
    3. Changing to mysqli WAF storage configuration (confirmed diagnostics page says mysqli as WAF storage configuration)
    4. Temporarily turned off host firewall and SELinux to see if that made a difference

    Regardless of what I’ve tried, manually updating the rules fail with the error message saying to ensure my wp-content/wflogs is writeable.

    When updating WAF rules, would my server be expecting inbound http traffic from Wordfence servers? If so, which servers would I be expecting inbound traffic from? noc1.wordfence.com?

    For further troubleshooting, I can provide an export of my diagnostics page by email.

    Thanks,

    qtrinh2

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    2 years, 10 months ago

    Hi @qtrinh2, thanks for your message.

    You could also expect to see noc4 when getting rules updates, although we only check connection to noc1 in diagnostics. I would certainly suggest at least 2 of your 4 attempts to solve this as a first response, but there are other things we can try.

    Using the command line terminal on your server (or having your host do so if you’re unable) you can try cURL from the server. Try the command below several times and see if the output changes or if it ever times out:

    curl -v 'https://noc4.wordfence.com/?ticket=qtrinh2'

    Adding the query string will help us to find you in our logs. The expected response status code should be a 301 Moved Permanently response.

    Failing this, by all means drop us your diagnostic to wftest @ wordfence . com directly using the link at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

    Let me know how you get on!
    Peter.

    Thread Starter qtrinh2

    (@qtrinh2)

    2 years, 10 months ago

    @wfpeter ,

    I’ve successfully received 301 responses when executing the curl commands a few times:

    curl -v 'https://noc4.wordfence.com/?ticket=qtrinh2'

*   Trying 35.83.41.128:443...
* Connected to noc4.wordfence.com (35.83.41.128) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=noc1.wordfence.com
*  start date: Jun 12 00:00:00 2023 GMT
*  expire date: Jul 10 23:59:59 2024 GMT
*  subjectAltName: host "noc4.wordfence.com" matched cert's "noc4.wordfence.com"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M02
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* Using Stream ID: 1 (easy handle 0x55d9fab60900)
* TLSv1.2 (OUT), TLS header, Unknown (23):
> GET /?ticket=qtrinh2 HTTP/2
> Host: noc4.wordfence.com
> user-agent: curl/7.76.1
> accept: */*
>
* TLSv1.2 (IN), TLS header, Unknown (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.2 (IN), TLS header, Unknown (23):
< HTTP/2 301
< date: Tue, 20 Jun 2023 14:01:07 GMT
< content-type: text/html; charset=UTF-8
< server: nginx
< location: /v1.0/
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
< strict-transport-security: max-age=31536000; includeSubDomains
<
* Connection #0 to host noc4.wordfence.com left intact


curl -I 'https://noc4.wordfence.com/?ticket=qtrinh2'
HTTP/2 301
date: Tue, 20 Jun 2023 14:03:07 GMT
content-type: text/html; charset=UTF-8
server: nginx
location: /v1.0/
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains


curl -I 'https://noc4.wordfence.com/?ticket=qtrinh2'
HTTP/2 301
date: Tue, 20 Jun 2023 14:05:05 GMT
content-type: text/html; charset=UTF-8
server: nginx
location: /v1.0/
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains


curl -I 'https://noc4.wordfence.com/?ticket=qtrinh2'
HTTP/2 301
date: Tue, 20 Jun 2023 14:10:05 GMT
content-type: text/html; charset=UTF-8
server: nginx
location: /v1.0/
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains


curl -I 'https://noc4.wordfence.com/?ticket=qtrinh2' -L
HTTP/2 301
date: Tue, 20 Jun 2023 14:20:07 GMT
content-type: text/html; charset=UTF-8
server: nginx
location: /v1.0/
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains

HTTP/2 200
date: Tue, 20 Jun 2023 14:20:07 GMT
content-type: application/json
server: nginx
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains

    Would this mean I can rule out any firewall or network blocks?

    -qtrinh2

    Thread Starter qtrinh2

    (@qtrinh2)

    2 years, 9 months ago

    Hi @wfpeter ,

    I have also sent the diagnostics report via email as an attachment because we are unable to send the report through our WordPress sites due to work on our SMTP relay server.

    -qtrinh2

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Cannot update WAF rules’ is closed to new replies.