Forum Discussion

hungnguyen-ocl's avatar
hungnguyen-ocl
Icon for Nimbostratus rankNimbostratus
May 16, 2023

Exclude some valid URI from AWS WAF and Analyze WAF results

Hello,

We have subscribed to F5 Rules for AWS WAF - Web exploits OWASP Rules and applied these rules to our production with COUNT mode.

After a while, we check the logs for the requests and see that WAF counts also valid requests from our applications.

We want to see the reason why these requests were counted and fix them accordingly so they would pass WAF when we turn WAF to BLOCK mode. How can we move on with this approach?

Plus, is it possible to exclude some specific URIs that we know are valid to bypass WAF?

Thanks!

cloud
devops
F5 Rules for AWS WAF
security

1 Reply

Sort By
  • Joel_Cohen's avatar
    Joel_Cohen
    Icon for Employee rankEmployee
    May 19, 2023

    Hi,

    It is common that some applications require certain data in requests that resemble attacks or parts of attacks, and these are picked up by the WAF. In this case you can disable the specific rule, in the group, that is blocking the requests.

    The other option is to see what is triggering the rule, and change the app to avoid it. Unofrutnately, unlike traditional, full blown WAF security solutions, the content of F5 rules for AWS WAF is not visible and cannot be viewed. You may send us the HTTP request that was blocked and the name of the rule that matched it and we can provide more information.

    About your second question to exclude URIs - The F5 Rule groups only inspect the traffic and match it against the rules to detect possible attacks. Control over which traffic to inspect and which not to is done by the AWS WAF infrastructure. 

    I hope this answers your questions.

    Joel