Exam CAS-004 topic 1 question 7 discussion

ChatGPT says ... C. HTTP traffic is not forwarding to HTTPS to decrypt. This means that the WAF is not able to inspect the encrypted traffic because it is not being decrypted. As a result, the WAF is not able to log or detect any malicious activity that might be occurring within that encrypted traffic. Option A, that the user agent client is not compatible with the WAF, would not prevent the WAF from logging traffic, but it might prevent the WAF from blocking certain types of traffic. Option B, that a certificate on the WAF is expired, would not prevent the WAF from logging traffic or detecting malicious activity, but it might prevent users from being able to access the web application. Option D, that old, vulnerable cipher suites are still being used, might result in vulnerabilities that could be exploited by attackers, but it would not necessarily prevent the WAF from logging traffic or detecting malicious activity.

I think people have points about C being incorrect because HTTP does not get forwarded to HTTPS to decrypt. That makes no sense. However, neither does an expired certificate. The cert validity should have no bearing on logging. If you tell the browser to continue anyway, you're still using the cert, you're just ignoring the errors. Either way, logging should be completely unaffected. My guess is this question just has a typo in the wording. If you changed it to HTTPS was not being decrypted forwarded to HTTP, everything makes sense.

WAF Decryption: A Web Application Firewall (WAF) typically inspects traffic by decrypting HTTPS communications. If HTTP traffic isn't being redirected to HTTPS, the WAF won't be able to decrypt and inspect that traffic. This results in a lack of visibility and logging for that specific traffic. Why the Other Options Don't Fit: A. The user agent client is not compatible with the WAF: Compatibility issues usually affect connection or functionality rather than causing selective logging gaps. B. A certificate on the WAF is expired: An expired certificate would impact the establishment of secure connections but wouldn't directly cause specific traffic to be unlogged. D. Old, vulnerable cipher suites are still being used: Vulnerable cipher suites pose other security risks but don’t lead to the particular issue of missing logs from the WAF.

Answer selected: B. A certificate on the WAF is expired. Reasoning and Counter-argument to option C. An expired certificate on the WAF prevents the proper SSL/TLS handshake thus causing the client (the web application) connections to fail and leading to no traffic to reach the WAF. Which means the traffic is not logged. Option C. HTTP traffic is not forwarding to HTTPS to decrypt means unencrypted traffic bypasses the decryption processes, but the WAF can still inspect and log HTTP traffic, so the visibility should remain for HTTP requests though it will may miss encrypted traffic. The scenario given is that there is NO VISIBLITY from the WAF for the web application. In terms of comprehending this statement, we ASSUME NO TRAFFIC. 100% NOTHING is logged. With that logic, B. A certificate on the WAF is expired, makes the most logical sense.

Ok, to start with the argument that it's a typo and it should be HTTPS is not forwarding to HTTP. I agree that is how things should work with a WAF if it's configured for it. So this brings us to the next question if the "typo" was corrected, then what would cause that issue? Perhaps an expired cert? Chances are it's not a typo and not the correct answer. However, an expired cert on the WAF could most definitely cause issues with logging. Generally, a WAF or any type of layer 7 filtering application create and issue certificates or are issued a certificate to inspect SSL/TLS traffic. If the certificate on the WAF were expired, then it would not be able to inspect the SSL/TLS traffic passing through it. Now, that being said, it's an assumption on my part that the specific traffic is HTTPS that the analyst is expecting in the logs since malicious individuals typically don't go doing shady stuff all out in the open and using HTTP. Just my way of looking at this. I'm sure there are things I'm overlooking as well.

Its B. C. is wrong because, if the traffic is already unencrypted in HTTP why would it need to forward to HTTPS for it to be inspected by the WAF? That would mean encrypting the traffic. Keep in mind that WAFs can be configured in two ways: 1. HTTPS Traffic is decrypted before it reaches the WAF, allowing the clear-text traffic to be inspected. 2. HTTPS traffic is decrypted by the WAF using the Certs installed on it. So what do you think happens in Scenario 2 when the cert used for decrypting the HTTPS traffic expires? You will not have visibility of any new logs from that web server! Correct Answer: B. A certificate on the WAF is expired.

Cert expired. C makes no sense

If HTTP traffic is not being forwarded to HTTPS, the WAF may not be able to inspect and log the traffic properly. WAFs typically operate by decrypting HTTPS traffic to analyze its contents and protect the web application. If traffic remains on HTTP, the WAF might not intercept it, leading to a lack of visibility and logging. B is incorrect because An expired certificate would typically prevent HTTPS traffic from being established at all, causing SSL/TLS errors. This would result in failed connections rather than unlogged traffic.

The MOST likely cause for the specific traffic not being logged, and there being no visibility from the Web Application Firewall (WAF) for the web application, is: C. HTTP traffic is not forwarding to HTTPS to decrypt. Explanation: HTTP to HTTPS Redirect: If the web server is supposed to be secured with HTTPS, but the incoming traffic is not being redirected from HTTP to HTTPS, then the WAF, which is often designed to inspect and control encrypted (HTTPS) traffic, may not be seeing the traffic. The WAF might be configured to handle and log only encrypted traffic.

While horribly worded, C makes the most sense. If the server is not redirecting HTTP traffic to HTTPS (think of connecting to http://google.com - you will be redirected to https://google.com) and the WAF is configured to only monitor https traffic, then there would be a gap in monitoring.

The Answer should be B. Using an expired certificate makes clients vulnerable to cyber attacks, which can break their trust. Therefore, it is not recommended to use an expired certificate. A website would not last long with an expired one. The only way answer C. makes sense if it was written as follows: HTTPs traffic is not forwarding to HTTP to decrypt.

HTTP to HTTPS to decrypt does not make sense. The other way around would

C. HTTP traffic is not forwarding to HTTPS to decrypt. If the web application firewall (WAF) is configured to only monitor or manage HTTPS traffic and there is traffic on the network that is not being automatically redirected from HTTP to HTTPS, it could result in that traffic not being visible to the WAF. This could be a reason why the WAF isn't logging specific traffic. The other options are less likely to result in a lack of visibility from the WAF. An incompatible user agent client (A) or expired certificate (B) could cause issues, but they would typically lead to error messages or connection failures rather than traffic simply not being logged. Similarly, while using old and potentially vulnerable cipher suites (D) is a security risk, it wouldn't typically cause certain traffic to not be logged by the WAF.

B is the correct answer as WAF logs both http and https traffic. There is no such a way to log "http" traffic as "https". Don't even makes sense.

B is the only one that makes some sense.

Isn't the keyword (statement) here "not being logged"?

how about B? The WAF is a security solution that sits between the external traffic and the web server, and it is responsible for inspecting traffic and blocking any malicious activity. If the WAF's certificate has expired, it can cause traffic to not be logged and result in no visibility of the web application's traffic. CHATGPT You are correct that a WAF certificate being expired could also be a possible cause of the issue. If the certificate on the WAF is expired, it can cause the WAF to not function correctly and may prevent it from inspecting the traffic. This could result in specific traffic not being logged, and there may be no visibility from the WAF for the web application. Therefore, option B could also be a possible cause. However, the answer choice "MOST likely cause" implies that there is one cause that is more probable than the others. In this case, I believe that option C (HTTP traffic not forwarding to HTTPS to decrypt) is the most likely cause because it is a common issue that can result in the described behavior. However, it is important to note that other causes, such as an expired WAF certificate, should also be investigated and ruled out.