After a configuration replication or service restart, browsing is not possible on browsers configured to pass through IWSVA.
The most recent HTTP log (var/iwss/log/http.log.yyyymmdd.0001) may contain similar entries as the following:
17:31:19.156 <INF><0:3847:3847> SIGSCAN: [ERROR-]REJECTING CONFIGURATION: configuration data problems recorded @<logToErr> @@<SSLog.cpp:73>
17:31:19.156 <INF><0:3847:3847> SharedInitialization failed: Scan Plug-in SigScan @<CreateScanContextImpl> @@<ScanContextImpl.cpp:4491>
This issue may occur due to an incorrect regular expression in the HTTP > HTTP Inspection > Filters section.
To make sure that this is the actual root cause, the next step is to enable verbose logging for HTTP Inspection:
-
Open the file /etc/iscan/IWSSPISigScan.dsc via a text editor, for example vi:
vi /etc/iscan/IWSSPISigScan.dsc
-
Change the following entry:
FROM:
logging_level=INFO
TO:
logging_level=ALL - Save the file.
-
Stop and start the HTTP scanning daemon:
/etc/iscan/S99ISproxy stop
/etc/iscan/S99ISproxy start
Check the HTTP log again: an entry similar to the following may indicate the HTTP Inspection entry that is problematic: (i.e. "www.example.com")
11:20:39.711 <INF><0:31814:31814> SIGSCAN: [ERROR-]--- CompiledDirective::make: [SDF line 3 - www.example.com NOT GET HOST] Regular expression compile failed at offset 1: [9] nothing to repeat @<logToErr> @@<SSLog.cpp:73>
If this is the case, remove the entry from the IWSVA Inspection filter as indicated in the logs and restart all the services using the below command:
/etc/iscan/rcIwss restart
Check if browsing is possible.
Online regular expression verifiers may be helpful before adding to IWSVA. For example:
https://regex101.com/