AWAF Detection Inconsistency Between Similar Test Payloads

About POST /clam.php Content-Type: application/x-www-form-urlencoded cmd=127.0.0.1 && ls /etc maybe see if there is no low level signature about this as if you are using medium/high level only this could be it. Also if you selected specific server technologies maybe then if this is a signature for Linux but you selected Windows in server technologies this could explain the Linux signatures are not applied.

I think I saw similar stuff 2 years and if needed raise F5 case but maybe this is considered not affecting currently systems (who knows ) and you may need to write a custom signature for it if F5 says that for them this is not security risk and this is not covered by low level signatures.