Forum Discussion

vaibhavkumar-savkare's avatar
Jan 13, 2023

F5 rules for AWS WAF: API Blocked Due to F5 Rule set

Hello,

We have WAF ACL "bl-prd-crm-acl" for our production workload.

One of our production api URL  was got blocked due to this as it was due to F5 Rule. with error 403 forbidden.

Time Frame :2023-01-05 to 2023-01-11 We need RCA for the block and currently we have allowed the IP for the service consumer but we want to fix the issue itself considering production environment.

7 Replies

  • To understand this, you'll need to go through your request and response logs to see what the error was. Usually, it's very clear. If you've not done this yet, here is, maybe, a lifeline:

    https://www.youtube.com/watch?v=1W5HSTlNpgY&t=0s

     

    And also, I'd contact your sales team to ask about training options. They can help figure out what is needed.

    • vaibhavkumar-savkare's avatar
      vaibhavkumar-savkare
      Icon for Nimbostratus rankNimbostratus

      Hello,

       

      The link shared returns "The Video is unavailable".

      So Is it possible for you to check the attached WAF logs and conclude.

      • AubreyKingF5's avatar
        AubreyKingF5
        Icon for Admin rankAdmin

        Not at all. You need the detailed events so you can see packet payload. The video worked fine for me from 3 different devices just now, so I'd try a different device.  Or maybe post pictures of the relevant events from the AWAF event viewer?

  • Hello,

    I am checking with my team if I can share packet payload or not.

     

    Till then can you please provide detailed documentaion for ruleid=rule_XSS_script_tag__Parameter__AllQueryArguments_Body

     

    [{rulegroupid=F5#OWASP_Managed, terminatingrule={ruleid=rule_XSS_script_tag__Parameter__AllQueryArguments_Body, action=BLOCK, rulematchdetails=null}, nonterminatingmatchingrules=[], excludedrules=null}]
    • Joel_Cohen's avatar
      Joel_Cohen
      Icon for Employee rankEmployee

      Hello,

      The rule mentioned is related to cross-site scripting. Unlike traditional, full blown WAF security solutions, the content and detailed descriptions of F5 rules cannot be viewed.

      If the rule was blocking legitimate traffic, you can disable it.

      I hope this helps

      Thanks

      Joel