Forum Discussion
NimbostratusF5 rules for AWS WAF
Hi, We are experiencing false positives with the WAF rule rule_ZmEu_Headers, part of the F5-Bots_Managed ruleset protecting our backend.
Issue details:
- Legitimate requests from our customers are being blocked with HTTP 403 Forbidden errors.
-The blocked requests include the standard AWS session stickiness cookies AWSALB and AWSALBCORS.
- These cookies contain values that coincidentally include the substring "ZMEU", which appears to be causing the rule to trigger incorrectly.
- We suspect the rule performs a basic substring match on header values leading to false positives.
- The requests otherwise come from valid user agents and normal browser traffic.
- This issue is impacting business operations and requires urgent attention.
Request:
- Please clarify the detection logic behind rule_ZmEu_Headers.
- Can the rule be tuned or exceptions created to avoid false positives caused by cookies?
- Is there a recommended best practice to exclude legitimate session cookies like AWSALB from this check?
- We would appreciate guidance on mitigating this issue without disabling the entire bot protection ruleset.
Please check the attached log for an example block.
Thanks.
3 Replies
- Nikoolayy1
MVP
The AWS WAF bot signatures by AWS or even F5 are limited as nowadays for Bots better use things like F5 XC Bot Defense that can even without F5 BIG-IP/Next or XC Customer Edge in AWS be added to the the app source code by just adding the javascript tag.
https://docs.cloud.f5.com/docs-v2/bot-defense/quickstarts/bot-defense-waap.
kingsleykumarThanks. Is there a place where I can find the version history of F5 signature updates? I believe a recent F5 bot signature update is causing issues and would like to confirm.
- Mayur_Sutare
