Handling False Alarms

Scenarios

If legitimate service requests are blocked by WAF, the website may be inaccessible to some visitors. For example, after you connect a web service deployed on Huawei Cloud ECSs to WAF over its public domain name and enable basic web protection for it, if its normal traffic hits a protection rule, the access requests will be blocked. The web service becomes inaccessible over the domain name or returns errors to visitors, but it is still accessible over server IP addresses. It is more likely that the requests were blocked mistakenly, and the event is a false alarm. In this case, you need to handle the event as a false alarm.

You can handle false alarms in the following ways based on how they were generated:

• For a protection event triggered by a WAF built-in rule, you can ignore the corresponding WAF protection in the global protection whitelist rule or disable the corresponding bot rule. For details, see Handling False Alarms Triggered by Protection Rules.

  WAF built-in rules include basic web protection rules, known bot detection, request signature detection, bot behavior detection, and proactive feature detection rules for bot protection, and feature-based anti-crawler rules.

• For a protection event triggered by a custom rule, you can disable or delete the corresponding protection rule. For details, see Handling False Alarms Triggered by Protection Rules.

  WAF custom rules include CC attack protection rules, precise protection rules, blacklist and whitelist rules, and geolocation access control rules you create.

• For a client IP address mistakenly blocked, you can add it to an address group or add it to a blacklist/whitelist rule to allow it. For details, see Handling False Positives Based on Client IP Addresses.

Tutorial Video

Prerequisites

A protection event has been reported and displayed on the Events page.

Constraints

• A protection event can only be handled as a false alarm once.
• Dedicated WAF instances earlier than June 2022 do not support All protection for Ignore WAF Protection. Only Basic web protection can be selected.

Handling False Alarms Triggered by Protection Rules

If you are sure that an event is a false alarm generated based on a WAF built-in rule or custom protection rule, you can handle the event as a false alarm.

• WAF built-in rules include basic web protection rules, known bot detection, request signature detection, bot behavior detection, and proactive feature detection rules for bot protection, and feature-based anti-crawler rules.
• WAF custom rules include CC attack protection rules, precise protection rules, blacklist and whitelist rules, and geolocation access control rules you create.

1. Log in to the WAF console.
2. Click in the upper left corner and select a region or project.
3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
4. In the navigation pane on the left, click Events.
5. Check protection details of a specified domain name, instance, and time range. For details, see Querying a Protection Event.
6. Locate the target protection event and click Handle as False Alarm in the Operation column.
7. In the Handle False Alarm dialog box, handle the event.
   • Ignore the corresponding WAF protection based on the request features hit the rule.

     If a protection event is triggered by a rule in Basic Web Protection or Feature-based Anti-Crawler, the associated request features will be displayed in the Handle False Alarm dialog box by default. You need to ignore the corresponding WAF protection type and click OK. For details about the parameters of the global whitelist rule, see Table 1.

     Figure 1 Handle False Alarm
     

     Table 1 Parameters

     Parameter	Description	Example Value
     Scope	Domain name that the policy is applied to. All domain names: By default, this rule will be applied to all domain names that are protected by the current policy. Specified domain names: The rule will be applied to specified domain names that are protected by the current policy.	Specified domain names
     Domain Name	If Scope is set to Specified domain names, select or enter the domain names for the rule. You can click Add to add more domain names. The domain name format varies depending on the access mode. Cloud mode - CNAME access: Enter a complete domain name. Cloud mode - load balancer access: Enter Domain_name:ELB_load_balancer_ID. If the protected domain name is a single domain name, select or enter Domain_name:ELB_load_balancer_ID. If the domain name is a wildcard domain name, select or enter *:ELB_load_balancer_ID. For example, if you need to add wildcard domain name * and the ELB ID is c8c5fbd9-XXXX-XXXX-XXXX-d6f341a46ee5, enter *:c8c5fbd9-XXXX-XXXX-XXXX-d6f341a46ee5. Dedicated mode: Enter a complete domain name or IP address.	Cloud mode - CNAME access: www.example.com Cloud mode - Load balancer access: *:c8c5fbd9-XXXX-XXXX-XXXX-d6f341a46ee5 Dedicated mode: Enter www.example.com or 192.168.2.3.
     Condition List	Request features to be matched by the rule. If a request matches the features, WAF handles the request according to the configured rule. At least one condition is required for the rule to take effect. Click Add Condition in the condition box to add a condition in the group. You can add up to 30 conditions. If multiple conditions are configured, the rule takes effect only when all conditions are met. Click Add Condition outside the condition box to add a condition group. You can add up to three condition groups. The relationship between multiple condition groups is OR. This rule takes effect when one of the condition groups is met. Condition parameter description: Field: For details, see Condition Field Description. Subfield: Configure this field only when IPv4, IPv6, Params, Cookie, Header or Response Header is selected for Field. A subfield cannot exceed 2,048 characters. If Field is set to Response Header or Header, and Subfield is not All or Any, Case Sensitive is supported. Logic: Select the desired logical relationship from the drop-down list. Content: Enter or select the content that matches the condition. If you set Logic to Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, Prefix is not any of them, Suffix is any value, or Suffix is not any of them, you need to select a reference table.	Field is set to Path. Logic is set to Include. Content is set to /product.
     Ignore WAF Protection	Select how you want WAF to whitelist protection. All protection: All WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule. Basic web protection: You can ignore the entire basic web protection or specific protection type by rule ID or attack type. For example, if you do not want to check a specific URL for XSS attacks, you can configure a false alarm masking rule to mask XSS checks for the URL. ID: Protection modules will be whitelisted based on protection rule IDs. If this option is selected, you need to specify Rule ID (which can be queried in the Rule ID column in Events). Use commas (,) to separate multiple IDs. You can enter a maximum of 100 IDs. After entering a rule ID, press Enter to view the added rule ID, rule description, and risk level. You can also click Handle as False Alarm in the Operation column of the rule ID, and click Handle Now in the displayed dialog box. Then, if you select ID for Ignored Protection Type and click OK, this rule ID will be add to the global protection whitelist. For details, see Handling False Alarms. Attack type: Protection modules will be whitelisted based on the attack type. One type contains one or more rule IDs. After selecting this option, you need to specify Rule Type. You can specify multiple rule types. The options are Cross Site Scripting , Webshell, Others, SQL Injection, Scanner & Crawler, Remote File Inclusion, Local File Inclusion, and Command Injection. All built-in rules: all checks enabled in Basic Web Protection. Invalid requests: You can allow certain invalid requests. A request is invalid if: The request header contains more than 512 parameters. The URL contains more than 2,048 parameters. The request header contains "Content-Type:application/x-www-form-urlencoded", and the request body contains more than 8,192 parameters.	Ignore WAF Protection: Basic web protection Ignored Protection Type: ID Rule ID: 041046
     Rule Description	A brief description of the rule. This parameter is optional.	SQL injection attacks are not intercepted.
     Ignore Field	If you only want to ignore attacks against a specified field, enable Ignore Field and configure the field. You can ignore the fields you do not want WAF to check. If you configure ignored fields, you can leave the condition list blank. WAF can ignore the following fields: Params, Cookie, Header, Body, and Multipart. You can ignore all fields or a specified field. All fields: Params, Cookie, Header, Body, and Multipart. If All is selected, WAF will not block all attack events of the selected field. Field: Only the Params, Cookie, and Header fields are supported. If Field is selected, you need to enter a subfield. If you select Cookie, the Domain Name box for the rule can be empty.	Params All

   • Disabling a bot protection rule

     For a protection event triggered by a bot protection rule, the hit bot protection rule is displayed in the Handle False Alarm dialog box. You can click Handle Now in the dialog box and disable the rule on the displayed page. For details about bot protection rules, see Configuring Bot Protection Rules to Defend Against Bot Behavior.

   • Disabling or deleting a custom protection rule

     For a protection event triggered by a custom protection rule (such as a CC attack protection rule or precise protection rule), the custom protection rule is displayed in the Handle False Alarm dialog box. You can click Handle Now to go to the custom protection rule page. Then, click Disable or Delete in the Operation column of the target rule.

     Figure 2 Disabling or deleting a custom protection rule
     

Handling False Positives Based on Client IP Addresses

If you are sure a client IP address is blocked mistakenly, you can add the IP address to an address group and add the IP address to a blacklist/whitelist rule to allow it.

1. Log in to the WAF console.
2. Click in the upper left corner and select a region or project.
3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
4. In the navigation pane on the left, click Events.
5. Check protection details of a specified domain name, instance, and time range. For details, see Querying a Protection Event.
6. Locate the target client IP address and click Add to Address Group or Add to Blacklist/Whitelist.
   • Adding a client IP address to an address group
     1. In the Operation column of the target client IP address, choose More > Add to Address Group.
     2. In the Add to Address Group dialog box, add the client IP address to an existing address group or a new address group.
        Figure 3 Add to Address Group
        
     3. Associate the address group with a protection policy. If the address group has been associated with a protection policy, skip this step.

        After the preceding configurations are complete, WAF blocks or allows the client IP addresses based on the protection policy associated with the address group.

   • Adding a client IP address to a blacklist or whitelist
     1. In the Operation column of the target client IP address, choose More > Add to Blacklist/Whitelist.
     2. In the Add to Blacklist/Whitelist dialog box, add the client IP address to an existing rule or a new rule. For more details about a blacklist/whitelist rule, see Table 2.
        Figure 4 Add to Blacklist/Whitelist
        

        Table 2 Parameter descriptions

        Parameter	Description
        Add to	Existing rule: Add the client IP address to an existing blacklist or whitelist rule used for the protected domain name. New rule: Create a blacklist or whitelist rule for the protected domain name and add the client IP address to the rule.
        Rule Name	If you select Existing rule for Add to, select a rule name from the drop-down list. If you select New rule for Add to, customize a blacklist or whitelist rule.
        IP Address/Range/Group	Add an IP address, IP address range, or address group. This parameter is mandatory only when you select New rule for Add to. IP address/range: Add the client IP address to the blacklist or whitelist. Address group: Add the client IP address to the address group associated with the blacklist or whitelist rule. If you select Address Group, you need to select an existing address group or add a new address group. For details, see Adding an IP Address Group.
        Protective Action	Select the protective action for the rule. This parameter is mandatory only when you select New rule for Add to. Block: Select Block if you want to black the IP address or IP address range you configure previously. Allow: Select Allow if you want to allow the IP address or IP address range you configure previously. Log only: Select Log only if you want to observe the traffic from the IP address or IP address range you configure previously.
        Known Attack Source	If you select Block for Protective Action, you can configure a known attack source rule. Then, WAF blocks the requests matching the configured IP, Cookie, or Params for a period configured by the known attack source rule. For details about know attack source rules, see Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration.
        Rule Description	Description of the rule.

        After the preceding configurations are complete, WAF blocks or allows client IP addresses based on the blacklist and whitelist rule you configure.

Operation Result Verification

It takes about one minute for the operation works. Handled false alarms will no longer be displayed in the event list. You can refresh the browser cache, access the page for which the global whitelist rule is configured, and check whether the configuration is successful.

Related Operations

• If an event is handled as a false alarm, the rule hit will be added to the global protection whitelist rule list. You can go to the Policies page and then switch to the Global Protection Whitelist page to manage the rule, including querying, disabling, deleting, and modifying the rule. For details, see Configuring a Global Protection Whitelist Rule.
• If the Handle as False Alarm button is grayed out, see Why Is the Handle as False Alarm Button Grayed Out?