Forum Discussion

tboemker's avatar
tboemker
Icon for Nimbostratus rankNimbostratus
Jan 07, 2022

Impact of adding new rules in Block mode

When new rules are added to a managed rule set, they are added in Block mode. In a production environment, that could cause legitimate traffic to start being blocked.

 

How are customers supposed to know about new rules before they potentially block legitimate traffic? Do you have a release schedule?

2 Replies

  • Hi,

     

    1. Unlike traditional, full blown WAF security solutions, the content of F5 rules is not visible and cannot be viewed.

    2. Rules are updated approximately once per quarter.

    3. In production environment if the legitimate traffic is blocked after rules update, please disable the rule that blocked your service .

    4. Send us the HTTP request that was blocked with the name of the rule that matched it. We will analyze the details to determine the root cause and proposed solution.

     

    Thanks

    Mohamedfaizur

     

     

  • The AWS WAF is basically linux modsecurity so no matter if you use the F5 rules or AWS ones this are the AWS WAF limitations as there is no machine learning or new rules or modified being placed in learning mode  like the F5 signatures.

     

    The only option I can suggest is to use AWS waf version managment and to change the "default" setting to a specific version and each week to manially check for a new version and if there is a new version to select it and then to test in a test window. you my try to automate this in some way.

     

    https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-rule-groups-versioning.html