F5 Distributed Cloud WAF AI/ML Model to Suppress False Positives


Web Application Firewall (WAF) has evolved to protect web applications from attack. A signature-based WAF responds to threats through the implementation of application-specific detection rules which block malicious traffic. These managed rules work extremely well for patterns of established attack vectors, as they have been extensively tested to minimize both false negatives and false positives.  

Most of the Web Applications development is concentrated to deliver services seamlessly rather than integrating security services to tackle recent or every security attack. Some applications might have a logic or an operation that looks suspicious and might trigger a WAF rule. But that is how applications are built and made to behave depending on their purpose. Under these circumstances WAF considers requests to these areas as attack, which is truly not, and the respective attack signature is invoked which is called as False Positive. Though the requests are legitimate WAF blocks these requests. 

It is tedious to update the signature rule set which requires greater human effort. AI/ML helps to solve this problem so that the real user requests are not blocked by WAF.  

This article aims to provide configuration of WAF along with Automatic attack signature tuning to suppress false positives using AI/ML model. 


A More Intelligent Solution: 

F5 Distributed Cloud (F5 XC) AI/ML model uses self-learning probabilistic machine learning model that suppresses false positives triggered by Signature Engine.  

AI/ML is a tool that identifies the false positives triggered by signature engine and acts as an additional layer of intelligence, which automatically suppresses false positives based on a Machine learning model without human intervention. This model minimizes false positives and helps to determine the probability that triggered the particular signature is evidence of an attack or just an error or a change in how users interact with the application. This model is trained using vast amount of benign and an attack traffic of real time customer log. AI/ML model does not rely on human involvement to understand operational patterns and user interactions with Web Application. Hence it saves a lot of human effort.  


Step by step procedure to enable attack signature tuning to supress false positives 

These are the steps to enable attack signatures and its accuracy 

  1. Create a firewall by enabling Automatic attack signatures 
  2. Assign the firewall to Load Balancer 


Step 1: Create an App Firewall 

  • Navigate to F5 XC Console Home > Load Balancers > Security > App Firewall and click on Add App Firewall 
  • Enter valid name for Firewall and Navigate to Detection Settings 
  • Select Security Policy as “Custom” with in the Detection settings and select Automatic Attack Signatures Tuning “Enable” as shown below,  
  • Select Signature Selection by Accuracy as “High and Medium” from the dropdown. 
  • Scroll down to the bottom and click on “Save and Exit” button. 

Fig 1: Security policy settings to enable Automatic Attack Signature Tuning

Steps 2: Assigning the Firewall to the Load Balancer 

  • From the F5 XC Console homepage, Navigate to Load Balancers > Manage > Load Balancers > HTTP load balancer 
  • Select the load balancer to which above created Firewall to be assigned.  
  • Click on menu in Actions column of app Load Balancer and click on Manage Configurations as shown below to display load balancer configs. 

Fig 2: Selecting menu to manage configurations for load balancer

  • Once Load Balancer configurations are displayed click on Edit configuration button on the top right of the page.  
  • Navigate to Security Configuration settings and choose Enable in dropdown of Web Application Firewall (WAF)  
  • Assign the Firewall to the Load Balancer which is created in step 1 by selecting the name from the Enable dropdown as shown below,  
  • Scroll down to the bottom and click on “Save and Exit” button, with this Firewall is assigned to Load Balancer. 

Fig 3: Assigning firewall to the load balancer

Step 3: Verify the auto supressed signatures for false positives 

  • From the F5 XC Console homepage, Navigate to Web App and API Protection > Apps & APIs > Security and select the Load Balancer 
  • Select Security Events and click on Add filter 
  • Enter the key word Signatures.states and select Auto Supressed. 
  • Displayed logs shows the Signatures that are auto supressed by AI/ML Model. 

Fig 4: F5 XC Auto suppress attack signature Abuse of Functionality.

Fig 5: Attack Signature is Auto Suppressed.



With the additional layer of intelligence to the signature engine F5 XC's AI/ML model can automatically suppresses false positives without human intervention. Customer can be less concerned about their activities of application that look suspicious which in turns to be actual behaviour and hence the legitimate requests are not blocked by this model. Decisions are based on enormous amount of real data fed to the system to understand application and user’s behaviour which makes this model more intelligent.  

Updated Nov 15, 2022
Version 3.0

Was this article helpful?


  • HI Nikoolayy1  We use different methods to detect false positves in BIG IP and F5 XC. BIG IP uses Policy Builder Functionality to identify whether the request is false positive or not. It is based on configs provided in BIG IP and it is not based on AI or ML algorithm as of now. In F5 XC, AI/ML algorithm will decide whether the request is False Positive are not.

  • Does the AI/ML for signature tuning is also available in BIG-IP AWAF?

  • @chaithanya_dileep, Thanks for the info, for those auto-suppressed, would there be reason shown why it is suppressed? Just may need to provide explanation in case client raise. thanks.

  • thanks @chaithanya_dileep, can i assume these auto-suppressed traffic won't be blocked by WAAP WAF [even WAF in blocking mode]? as it is regards as false-positive. thanks.