TransactionID in Application Gateway v1 versus v2

Question

TransactionID in Application Gateway v1 versus v2

Mark Fuller 42

In AppGWv2 the TransactionID in the Firewall Log is a GUID (transactionId_g) and unique to each transaction. It can be used to correlate multiple OWASP rules that were triggered in the same transaction. For example where an OWASP rule has blocked traffic via anomaly scoring there is always exactly one ruleId_s=949110 in the log, and then one or more other rules that contributed to the anomaly score. And the TimeGenerated is always the same value for all logs with the same transactionId_g. This make analysis easy.

However in AppGWv1 the Transaction ID is a string (transactionId_s) and is not unique for a single transaction. The anomaly score shows ruleID_s=0 (compared to 949110 for AppGWv2). And I have many examples where there are multiple occurrences of ruleID_s=0 for the same transactionId_s. And the same transactionId_s can be seen across a time range, in some cases spanning multiple hours. So it seems transactionId_s is either not accurate or is being reused, which makes it very difficult to correlate events and analysis.

Is there any better way than transactionId_s to correlate the various log entries for AppGWv1?

Mark Fuller 42 Reputation points

2023-05-28T03:16:59.1233333+00:00

As an example from AppGWv1 see attached file. TransactionId_s 17726168135477755924 is clearly 2 totally different transactions coming from 2 totally different IPs more than 2 hours apart, yet has same transactionId_s, why ? AppGWv1.csv.txt
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-05-29T08:34:09.68+00:00

@Anonymous

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I would say to troubleshoot this, we will need a specialized 1:1 session, where a support engineer can have a screen share session to cross verify the logs from backend.

If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

Cheers,

Kapil
Mark Fuller 42 Reputation points

2023-05-29T09:21:35.1433333+00:00

I dont have any support plan, sorry. But I have provided the log output from Azure Log Analytics, so I am not sure what else an engineer will need?
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-05-29T09:40:44.78+00:00
@Anonymous

Unfortunately, I will not be able to reproduce the scenario from my end for this specific scenatio.

And it be challenging to correlate logs from a wider time range, while a Support Engineer can check them from our internal logs and verify if Transaction IDs being same in v1 is an expected behavior or not.

Also, what exact rules were matching when the ruleID_s=0

Should you need a one-time free technical support could you please send an email to AzCommunity[At]Microsoft[Dot]Com with the below details.

Subject : Attn Kaananth

Thread URL: Link to this thread.

Subscription ID in which the App gateway is created

Cheers,

Kapil

Accepted answer

0 additional answers

Your answer

Mark Fuller 42 Reputation points

2023-05-28T03:16:59.1233333+00:00

As an example from AppGWv1 see attached file. TransactionId_s 17726168135477755924 is clearly 2 totally different transactions coming from 2 totally different IPs more than 2 hours apart, yet has same transactionId_s, why ? AppGWv1.csv.txt
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-05-29T08:34:09.68+00:00

@Anonymous

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I would say to troubleshoot this, we will need a specialized 1:1 session, where a support engineer can have a screen share session to cross verify the logs from backend.

If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

Cheers,

Kapil
Mark Fuller 42 Reputation points

2023-05-29T09:21:35.1433333+00:00

I dont have any support plan, sorry. But I have provided the log output from Azure Log Analytics, so I am not sure what else an engineer will need?
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-05-29T09:40:44.78+00:00

@Anonymous

Unfortunately, I will not be able to reproduce the scenario from my end for this specific scenatio.

And it be challenging to correlate logs from a wider time range, while a Support Engineer can check them from our internal logs and verify if Transaction IDs being same in v1 is an expected behavior or not.

Also, what exact rules were matching when the ruleID_s=0

Should you need a one-time free technical support could you please send an email to AzCommunity[At]Microsoft[Dot]Com with the below details.

Subject : Attn Kaananth

Thread URL: Link to this thread.

Subscription ID in which the App gateway is created

Cheers,

Kapil

Answer 1

@Anonymous

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Your observation is correct.

The reuse of transaction IDs is a normal behavior in Application Gateway v1 and does not necessarily indicate an issue or problem.
It is important to note that the transaction ID is only intended to be used for troubleshooting and logging purposes and should not be relied upon for tracking or identifying individual requests.

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Share via

TransactionID in Application Gateway v1 versus v2

0 additional answers

Your answer