Help Center> Web Application Firewall> Best Practices> Handling False Alarms to Get Improved Basic Web Protection
Updated on 2022-11-11 GMT+08:00

Handling False Alarms to Get Improved Basic Web Protection

After you connect your website to Web Application Firewall (WAF) and enable basic web protection, WAF detects and blocks requests that match the rules you configured. If a normal request matches a basic web protection rule and is blocked by WAF, you can handle the event as false alarm. In this way, WAF will no longer block the same type of request.


You can view false alarm events on the Events page.


An event can only be handled as a false alarm once.

Application scenarios

Sometimes normal service requests may be blocked by WAF. For example, suppose you deploy a web application on a Huawei Cloud ECS and then add the public domain name associated with that application to WAF. If you enable basic web protection for that application, WAF may block the access requests that match the basic web protection rules. As a result, the website cannot be accessed through its domain name. However, the website can still be accessed through the IP address. In this case, you can handle the false alarms to allow normal access requests to the application.

Impact on the System

  • The event will not be displayed on the Events page and you will not receive any alarm notifications about the event.
  • If an event is handled as a false alarm, the rule hit will be added to the the global protection whitelist (formerly false alarm masking) rule list. You can go to the Policies page and then switch to the corresponding Global Protection Whitelist (Formerly False Alarm Masking) page to manage the rule, including querying, disabling, deleting, or modifying the rule.


  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
  4. In the navigation pane on the left, choose Events.
  5. In the event list, search for false alarms by protected website, event type, source IP address, and URL. Figure 1 shows an example.

    Figure 1 Viewing protection events

  6. In the Operation column of an event you consider as a false alarm, click Details. On the displayed page, confirm that the event is a false alarm. Figure 2 shows an example.

    Figure 2 Event Details

  7. In the row containing the event, click Handle False Alarm in the Operation column.
  8. In the displayed dialog box, click OK.

    Figure 3 Add Global Protection Whitelist Rule
    • Click Add to add other protected domain names to apply the false alarm masking rule to these domain names.
    • Path

      Part of the URL (excluding a domain name) that a false alarm is reported for. The default value is the source path of the event.

      • Prefix match: If you select Prefix is, the entered path is used as the prefix. For example, if the path you want to protect is /admin/test.php or /adminabc, set Path to /admin.
      • Exact match: The path you entered must be Equal to the path you want to protect. For example, if the path you want to protect is /admin/test.php, set Path to /admin/test.php.


A false alarm will be deleted within about a minute after the handling configuration is done. It will no longer be displayed in the event list. You can clear the cache, refresh the browser, and access the page again to verify whether the false alarm was successfully handled. If the requested page responds normally, the configuration takes effect.

Basic Web Protection Check Items

WAF basic web protection defends against common Open Web Application Security Project (OWASP) security threats. WAF uses built-in semantic analysis and regular expression engines for basic web protection to detect and block threats such as malicious scanners, IP addresses, and web shells. You can enable all protection rules in basic web protection or only the ones you want. For details, see Table 1.

Table 1 Protection types



General Check

Defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections. SQL injection attacks are mainly detected based on semantics.


If you enable General Check, WAF checks your websites based on the built-in rules.

Webshell Detection

Protects against web shells from upload interface.


If you enable Webshell Detection, WAF detects web page Trojan horses inserted through the upload interface.

Deep Inspection

Identifies and blocks evasion attacks, such as the ones that use homomorphic character obfuscation, command injection with deformed wildcard characters, UTF7, data URI scheme, and other techniques.


If you enable Deep Inspection, WAF detects and defends against evasion attacks in depth.

Header Inspection

This function is disabled by default. When it is disabled, General Check will check some of the header fields, such as User-Agent, Content-type, Accept-Language, and Cookie.


If you enable this function, WAF checks all header fields in the requests.

Shiro Decryption Check

This function is disabled by default. After this function is enabled, WAF uses AES and Base64 to decrypt the rememberMe field in cookies and checks whether this field is attacked. There are hundreds of known leaked keys included and checked for.

Basic Web Protection Levels

WAF provides three basic web protection levels, Low, Medium, and High. The default level is Medium. The lower the protection level, the higher the false negative rate and the lower the false positive rate. For details, see Table 2.

Table 2 Protection levels

Protection Level



WAF only blocks the requests with obvious attack signatures.

If a large number of false alarms are reported, Low is recommended.


The default level is Medium, which meets a majority of web protection requirements.


WAF blocks the requests with no attack signature but have specific attack patterns.

High is recommended if you want to block SQL injection, XSS, and command injection attacks.