Refer to the following section below for some information relating to WAF troubleshooting.

WAF Logging

All events are logged but there may be a delay in them being available for Administrator viewing. For further information on the WAF logging options, refer to the WAF Event Log and Enable WAF Debug Logging sections.

WAF Compatibility with Kerberos Constrained Delegation (KCD)

As of the 7.2.40 LoadMaster firmware version, you cannot enable both WAF and KCD at the same Virtual Service level. For example:

  • If WAF is enabled in the parent Virtual Service, you cannot enable KCD as the Server Authentication Mode in the parent Virtual Service

  • If KCD is enabled in the parent Virtual Service, you cannot enable WAF

However, you can enable the Edge Security Pack (ESP)/KCD in the SubVS and then enable WAF in the parent Virtual Service.

If you had WAF and KCD enabled at the same level before upgrading to 7.2.40 and you upgrade the firmware to 7.2.40 or above, the configuration will not be changed. File attachments in SharePoint will not work. To resolve this, enable WAF on the parent Virtual Service and ESP/KCD on the SubVS.

The following combination is not supported: WAF with ESP Client Certificate authentication and KCD.

Unable to Download/Update Daily Updates

We recommend adding the Progress Kemp Licensing Server URLs as allowed URLs on your firewall to ensure all licensing features work, including the downloading and updating of WAF daily updates. The URLs to allow vary depending on your LoadMaster firmware version:

  • LoadMaster firmware version 7.2.53 or above (or 7.2.48.3 Long Term Support (LTS) and above): licensing.kemp.ax

  • LoadMaster firmware versions below 7.2.53 (or below 7.2.48.3 LTS): alsi.kemptechnologies.com and alsi2.kemptechnologies.com