Forum Discussion
tbriot
Altocumulus
AltocumulusAWS F5 Managed WAF rules not blocking simple SQL injection
We have subscribed to the "F5 Rules for AWS WAF - API Security Rules". Product page: https://aws.amazon.com/marketplace/pp/B07M948X2H. A Web ACL has been created in our AWS account using this group ...
Is it possible your F5 RuleGroups were not configured to block but rather to just count violations? Per K21015971:
Configuring RuleGroups
You configure a RuleGroup with one of two Action values: Block or Count. When a RuleGroup Action is set to Block, it blocks traffic, and when it is set to Count, the following behaviors occur:
- Traffic is allowed to pass through AWS WAF, even when the traffic matches the conditions of a rule.
- Traffic that matches the conditions of a RuleGroup generate CloudWatch metrics, which you can use for troubleshooting.
tbriotI confirm the rule group has NOT been set to Count.
Btw, the https://support.f5.com/csp/article/K21015971 page seems a little bit outdated. The Actions are named 'No override' (instead of Block) and 'Override to count (instead of Count)'. See AWS documentation: https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-rule-groups.html.