Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

F5 rules for AWS WAF: API Blocked Due to F5 Rule set

vaibhavkumar-savkare
Nimbostratus
Nimbostratus

‎13-Jan-2023 01:55 - last edited on ‎22-Jan-2023 07:25 by MVP

Hello,

We have WAF ACL "bl-prd-crm-acl" for our production workload.

One of our production api URL  was got blocked due to this as it was due to F5 Rule. with error 403 forbidden.

Time Frame :2023-01-05 to 2023-01-11 We need RCA for the block and currently we have allowed the IP for the service consumer but we want to fix the issue itself considering production environment.

Labels:
0 Kudos
7 REPLIES 7

Leslie_Hubertus
Community Manager
Community Manager

‎19-Jan-2023 13:36

Hi @vaibhavkumar-savkare  - I see nobody has answered your question yet, so I featured it in the Unanswered Questions section of this week's Highlights article. I've also asked a colleague to take a look. 

AubreyKingF5
Community Manager
Community Manager

‎19-Jan-2023 14:07

To understand this, you'll need to go through your request and response logs to see what the error was. Usually, it's very clear. If you've not done this yet, here is, maybe, a lifeline:

https://www.youtube.com/watch?v=1W5HSTlNpgY&t=0s

 

And also, I'd contact your sales team to ask about training options. They can help figure out what is needed.

0 Kudos

vaibhavkumar-savkare
Nimbostratus
Nimbostratus
In response to AubreyKingF5

‎20-Jan-2023 02:26

Hello,

 

The link shared returns "The Video is unavailable".

So Is it possible for you to check the attached WAF logs and conclude.

0 Kudos

AubreyKingF5
Community Manager
Community Manager
In response to vaibhavkumar-savkare

‎20-Jan-2023 12:32

Not at all. You need the detailed events so you can see packet payload. The video worked fine for me from 3 different devices just now, so I'd try a different device.  Or maybe post pictures of the relevant events from the AWAF event viewer?

0 Kudos

vaibhavkumar-savkare
Nimbostratus
Nimbostratus

‎27-Jan-2023 05:04

Hello,

I am checking with my team if I can share packet payload or not.

 

Till then can you please provide detailed documentaion for ruleid=rule_XSS_script_tag__Parameter__AllQueryArguments_Body

 

[{rulegroupid=F5#OWASP_Managed, terminatingrule={ruleid=rule_XSS_script_tag__Parameter__AllQueryArguments_Body, action=BLOCK, rulematchdetails=null}, nonterminatingmatchingrules=[], excludedrules=null}]
0 Kudos

Leslie_Hubertus
Community Manager
Community Manager
In response to vaibhavkumar-savkare

‎31-Jan-2023 13:41

This might be a question for @Joel_Cohen.

0 Kudos

Joel_Cohen
F5 Employee
F5 Employee
In response to vaibhavkumar-savkare

‎01-Feb-2023 10:24

Hello,

The rule mentioned is related to cross-site scripting. Unlike traditional, full blown WAF security solutions, the content and detailed descriptions of F5 rules cannot be viewed.

If the rule was blocking legitimate traffic, you can disable it.

I hope this helps

Thanks

Joel

0 Kudos
Copyright © 2023 Khoros, LLC