Support for Masking and Removing Personally Identifiable Information (PII) in Applications Logs on Avi Vantage

Overview

Avi Vantage collects different types of logs for troubleshooting various performance or outage issues, end-user experience, and success of any application. Avi Controller collects HTTP request header and response header information while establishing connections between the incoming client requests and the back-end servers. Starting with the release 17.2.10, Avi Vantage supports removing or masking Personally Identifiable Information (PII) in HTTP request headers and response header fields in application logs. The actual value of the required HTTP header field can be removed or masked to X. HTTP request header is masked in the following type of requests:

  • HTTP header received from the client.
  • HTTP header sent to the back-end server.

The following type of requests are considered as HTTP response header on Avi Vantage:

  • Responses coming from the back-end server
  • Response header sent to the client

Note: Any of the HTTP headers in the application logs on Avi Vantage can be masked or removed. The feature is not just only limited to masking off the header, but also both the header name and their corresponding value from the application logs can be removed too.

Use case

Exposure of user-related sensitive information, for example, HTTP cookie, authorization information , e.t.c is avoided. Any security threat that may happen because of the exposed user or server-related information is avoided too.

Configuration

Based on the requirement, any of the HTTP request headers and response headers can be masked or removed in the virtual service logs on Avi Vantage.

In the configuration snippet mentioned below, HTTP headers are selected by using the match_str: "HTTP-Header-name" command and their corresponding actions (to mask the original value ) are set by using the LOG_FIELD_MASKOFF command in the analytics profile configuration of a virtual service:

Refer to the following configuration snippet for reference:


analyticsprofile_object {
   uuid: "l7-analytics-profile-3"
   name: "l7-analytics-profile-3"
   tenant_uuid: "admin"
   sensitive_log_profile {
      header_field_rules {
         index: 1
         name: "hdr_rule_1"
         enabled: true
         match {
            match_criteria: EQUALS
            string_group_uuids: "stringgroup-2"
         }
         action: LOG_FIELD_MASKOFF
     }
     header_field_rules {
         index: 2
         name: "hdr_rule_2"
         enabled: true
         match {
            match_criteria: CONTAINS
            match_str: "X-Forwarded-For"
         }
         action: LOG_FIELD_MASKOFF
     }
   }
}

stringgroup_object {
   uuid: "stringgroup-2"
   name: "stringgroup-2"
   kv {
      key: "Authorization"
   }
   kv {
      key: "Cookie"
   }
   kv {
      key: "Set-Cookie"
   }
   tenant_uuid: "admin"
}

Changes in HTTP request and HTTP response header:

The following screenshots exhibit the masked value of various HTTP headers in the logs on Avi Vantage.

Changes in HTTP request header

Details of an HTTP request header before the change in the analytic profile:

request-header

Details of an HTTP request header after the change in the analytic profile:

request-header-after-the-change

In the example mentioned above, the value for the following HTTP request headers are masked to X:

  • X-Forwarded-For
  • Authorization HTTP header
  • Cookie field

Changes in HTTP response header

Details of an HTTP response header in the application logs before the change in the analytic profile:

response-header

Details of an HTTP response header in the application logs after the change in the analytic profile:

response-header-after-the-change

In the example mentioned above, the value for the HTTP response header, Set-Cookie is masked to X in the application logs.