Forum Discussion
NimbostratusAWS WAF using a marketplace rule group supplied by F5
My organisation has implemented an AWS WAF to protect our websites from malicious traffic.
As part of the implementation, we decided to use a marketplace rule group supplied by F5.
The URL for the above marketplace rule group is https://aws.amazon.com/marketplace/pp/B077PJGPWH
So now we have the Web Application Firewall implemented with the AWS WAF - Web Exploits Rules by F5 implemented, seeing all traffic and managing it i.e. blocking some, allowing some through.
I have enabled logging on the Web Application Firewall and I can see what traffic has been blocked but I can’t see why.
A small snippet of the log output shows -
"terminatingRule":{"ruleId":"4aad97c8-482a-4686-8c09-c291f8064e1d","action":"BLOCK"},"
But I can’t translate the above ruleId number to a human understandable version of why a particular piece of traffic was blocked.
My management teams are querying blocked traffic and all I can currently tell them is that some traffic was blocked but I don’t know why, because I can’t see what actual rule the ruleId translates to.
How can I provide these answers to my management team? The questions they are asking are completely plausible. Hopefully, someone here can help me with this.
Also, I can't see a way of uploading log file data easily here. Can someone please advice on this too?
I don't see an attachment upload button.
Thank in advance.
Jat
Simon_BlakelyEmployee
Please follow the procedure detailed in K21015971: Overview of F5 RuleGroups for AWS WAF
Reporting false positives on DevCentral
With full request logging you can now report on a rule that generates too many false positives. To report false positives, complete the following:
- Log three to five requests that the rule has flagged as malicious requests.
- Make sure that the requests do not contain any sensitive information; if they do, please mask the sensitive data with ****.
- Attach the requests to a message (Ask a Question) on the DevCentral Answers forum.