Why is my AWS WAF custom rule not working?

Last updated: 2022-07-12

I created a custom AWS WAF rule but it's not working as expected. What can I do to troubleshoot the issue?

Resolution

If your custom AWS WAF rule isn't working as expected, check the following:

  • Priority of a rule
  • Text transformation
  • Boolean logic

Priority of a rule

Check that you’ve placed your custom rule at a correct priority. For more information, see Processing order of rules and rule groups in a web ACL.

You can access a rule by name in the rule group or web ACL where it's defined.

AWS WAF rules evaluation order goes from top to bottom, and then stops at the first matching terminating Allow, Block, or CAPTCHA rule. If your request matches one of the terminating rules placed above your custom rule, AWS WAF will take the action specified in that rule. The request won’t be evaluated against your custom rule. For more information, see Basic handling of the rule and rule group actions in a web ACL.

For example, suppose that you’re creating a custom allow rule to allow the request that’s being blocked by an AWS Managed Rule group (AMR). You must place your custom rule above (at a lower numeric priority) than the AMR that’s blocking the request.

You can manage the priority order through the AWS WAF console Rule Builder, which is available for web ACLs and rule groups. To change the priority order using AWS API, use UpdateWebACL and UpdateRuleGroup API calls. To change the priority order using AWS CLI, use update-web-acl and update-rule-group commands.

Text transformation

If you’re using text transformations in your custom rule, check that you’ve applied it in a correct manner. For more information, see AWS WAF Text transformations.

AWS WAF applies the transformation before inspecting the request. If you specify more than one transformation, AWS WAF processes them in the order listed. You must verify the transformation and order of transformation if you’re using multiple transformations, in your custom rule.

For example, if you created a custom rule to perform Base64 decode and URL decode for a string in the query argument. AWS WAF first performs the Base64 decode of query string in the incoming request. The Base64 decode resulting string is further transformed using a URL decode. Then, the URL decode resulting string is inspected against the string that you provided in your rule configuration.

Boolean logic

If you're using logical rule statements, verify that the AND, OR, or NOT logic used for your custom rule is correct. For more information, see Rule statements list and follow the instructions in Logical rules statements.

To verify this is by using Boolean logic, consider this example:

If you create a custom rule that matches with a request with the criteria: request has URI "/test" AND source IP is in the IP set X, then Block.

Request 1

If the request has URI "/test" (Boolean 1) AND IP is NOT in the IP set X (Boolean 0), then Boolean 1 AND Boolean 0 results in Boolean 0.

This request won't match with your custom rule.

Request 2

If the request doesn't have URI "/test" (Boolean 0) AND IP is NOT in the IP set X (Boolean 0), then Boolean 0 AND Boolean 0 results in Boolean 0.

This request won't match with your custom rule.

Request 3

If the request has URI "/test" (Boolean 1) AND IP is in the IP set X (Boolean 1), then Boolean 1 AND Boolean 1 results in Boolean 1.

This request will match your custom rule.


Did this article help?


Do you need billing or technical support?