Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Impact of adding new rules in Block mode

tboemker
Nimbostratus
Nimbostratus

When new rules are added to a managed rule set, they are added in Block mode. In a production environment, that could cause legitimate traffic to start being blocked.

 

How are customers supposed to know about new rules before they potentially block legitimate traffic? Do you have a release schedule?

2 REPLIES 2

Mohamedfaizur
F5 Employee
F5 Employee

Hi,

 

1. Unlike traditional, full blown WAF security solutions, the content of F5 rules is not visible and cannot be viewed.

2. Rules are updated approximately once per quarter.

3. In production environment if the legitimate traffic is blocked after rules update, please disable the rule that blocked your service .

4. Send us the HTTP request that was blocked with the name of the rule that matched it. We will analyze the details to determine the root cause and proposed solution.

 

Thanks

Mohamedfaizur

 

 

The AWS WAF is basically linux modsecurity so no matter if you use the F5 rules or AWS ones this are the AWS WAF limitations as there is no machine learning or new rules or modified being placed in learning mode  like the F5 signatures.

 

The only option I can suggest is to use AWS waf version managment and to change the "default" setting to a specific version and each week to manially check for a new version and if there is a new version to select it and then to test in a test window. you my try to automate this in some way.

 

https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-rule-groups-versioning.html