Trace HTML requests with security logs


This feature is available in NetScaler release 10.5.e.

Troubleshooting requires analysis of data received in the client request and can be challenging. Especially if there is heavy traffic flowing through the appliance. Diagnosing issues might affect the functionality or application security might require a quick response.

The NetScaler isolates traffic for a Web App Firewall profile and collects nstrace for the HTML requests. The nstrace collected in appfw mode includes request details with log messages. You can use “Follow TCP stream” in the trace to view the details of the individual transaction including headers, payload, and the corresponding log message in the same screen.

This gives you a comprehensive overview regarding your traffic. Having a detailed view of the request, payload, and associated log records can be useful to analyze security check violation. You can easily identify the pattern that is triggering the violation. If the pattern must be allowed, you can take a decision to modify the configuration or add a relaxation rule.


  1. Isolate traffic for specific profile: This enhancement is useful when you isolate traffic for only one profile or specific transactions of a profile for troubleshooting. You no longer have to skim through the entire data collected in the trace or need special filters to isolate requests interest you which can be tedious with heavy traffic. You can view the data that you prefer.
  2. Collect data for specific requests: The trace can be collected for a specified duration. You can collect trace for only a couple of requests to isolate, analyze, and debug specific transactions if needed.
  3. Identify resets or aborts: Unexpected closing of connections is not easily visible. The trace collected in –appfw mode captures a reset or an abort, triggered by the Web App Firewall. This allows a quicker isolation of an issue when you do not see a security check violation message. Malformed requests or other non-RFC compliant requests terminated by Web App Firewall will now be easier to identify.
  4. View decrypted SSL traffic: HTTPS traffic is captured in plain text to allow for easier troubleshooting.
  5. Provides comprehensive view: Allows you to look at the entire request at the packet level, check the payload, look at the logs to check what security check violation is being triggered and identify the match pattern in the payload. If the payload consists of any unexpected data, junk strings, or non-printable characters (null character, \r or \n and so forth), they are easy to discover in the trace.
  6. Modify configuration: The debugging can provide useful information to decide if the observed behavior is the correct behavior or the configuration must be modified.
  7. Expedite response time: Faster debugging on target traffic can improve the response time to provide explanations or root cause analysis by the NetScaler engineering and support team.

For more information, see Manual Configuration by using the command line interface topic.

To configure debug tracing for a profile by using the command line interface

Step 1. Enable ns trace.

You can use the show command to verify the configured setting.

  • set appfw profile <profile> -trace ON

Step 2. Collect trace. You can continue to use all the options which are applicable for the nstrace command.

  • start nstrace -mode APPFW

Step 3. Stop trace.

  • stop nstrace

Location of the trace: The nstrace is stored in a time-stamped folder which is created in the /var/nstrace directory and can be viewed using wireshark. You can tail the /var/log/ns.log to see the log messages providing details regarding the location of the new trace.


  • When the appfw mode option is used, the nstrace will only collect the data for one or more profiles for which the “nstrace” was enabled.

  • Enabling the trace on the profile will not automatically start collecting the traces until you explicitly run the “start ns trace” command to collect the trace.
  • Although enabling trace on a profile may not have any adverse effect on the performance of the Web App Firewall but you may want to enable this feature only for the duration for which you want to collect the data. It is recommended that you turn the –trace flag off after you have collected the trace. The option prevents the risk of inadvertently getting data from profiles for which you had enabled this flag in the past.

  • The block or log action must be enabled for the security check for the transaction record to be included in the nstrace.

  • Resets and aborts are logged independently of security checks actions when trace is “On” for the profiles.

  • The feature is only applicable for troubleshooting the requests received from the client. The traces in –appfw mode do not include the responses received from the server.

  • You can continue to use all the options which are applicable for the nstrace command. For example,

    start nstrace -tcpdump enabled -size 0 -mode appFW

  • If a request triggers multiple violations, the nstrace for that record includes all the corresponding log messages.

  • CEF log message format is supported for this functionality.

  • Signature violations triggering block or log action for request side checks will also be included in the trace.

  • Only HTML (non-XML) requests are collected in the trace.
Trace HTML requests with security logs