How can I troubleshoot false positives with AWS WAF?

Last updated: 2019-11-15

AWS WAF is blocking some of my legitimate web requests. How can I find out why WAF is blocking traffic and resolve these false positives?

Short Description

To troubleshoot false positives in AWS WAF:

  1. Identify the rules that are causing false positives
  2. Reconfigure the rules to enable traffic and prevent false positives

Resolution

Identify the rules that are causing false positives

  1. Open the WAF console and choose Go to AWS WAF.
  2. Choose Web ACLs from the navigation pane.
  3. Select the name of the Web ACL that you're testing.
  4. For Sample requests, select the first rule in the list, and then choose Get new samples. Review the results to find any blocked requests.
    Note: AWS WAF randomly selects requests from the first 5,000 requests that your AWS resource received during the specified time range. You can specify a sample size of up to 500 requests, and any time range in the previous three hours.
  5. Repeat step 4 for each of the remaining rules in your Web ACL.

Note: You can also use AWS WAF Logging to find the rule ID that triggered the block.

Reconfigure the rules to enable traffic and prevent false positives

  1. Complete the following for each rule that you identified as containing blocked requests:
    Choose the Rules tab.
    Choose Edit web ACL.
    Change the Action from Block to Count.
  2. After you've made all necessary changes to the rules, choose Update.
  3. Resend requests to the updated rules to confirm that they're no longer blocked. To do this, select each updated rule from the Sample requests dropdown, and then choose Get new samples.
  4. Review each updated rule and compare the sample requests with the conditions of the rule. Remove any conditions that are blocking legitimate requests based on the filters in the condition.

Did this article help you?

Anything we could improve?


Need more help?