Help Center> Web Application Firewall> FAQs> Service Interruption Check> How Do I Handle False Alarms as WAF Blocks Normal Requests to My Website?

Updated on 2024-02-01 GMT+08:00

View PDF

How Do I Handle False Alarms as WAF Blocks Normal Requests to My Website?

Once an attack hits a WAF rule, WAF will respond to the attack immediately according to the protective action (Log only or Block) you configured for the rule and display an event on the Events page.

If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and handle false alarms in the project. For more details, see Project and Enterprise Project.

In the row containing the false alarm event, click Details in the Operation column and view the event details. If you are sure that the event is a false positive, handle it as a false alarm by referring to Table 1. After an event is handled as a false alarm, WAF stops blocking corresponding type of event. No such type of event will be displayed on the Events page and you will no longer receive alarm notifications accordingly.

**Table 1** Handling false alarms
Type of Hit Rule	Hit Rule	Handling Method
WAF built-in protection rules	Basic web protection rules Basic web protection defends against common web attacks, such as SQL injection, XSS attacks, remote buffer overflow attacks, file inclusion, Bash vulnerability exploits, remote command execution, directory traversal, sensitive file access, and command and code injections. Basic web protection also detects web shells and evasion attacks. Feature-based anti-crawler protection Feature-based anti-crawler identifies and blocks crawler behavior from search engines, scanners, script tools, and other crawlers.	In the row containing the attack event, click Handle as False Alarm in the Operation column. For details, see Handling False Alarms.
Custom protection rules	CC attack protection rules Precise protection rules Blacklist and whitelist rules Geolocation access control rules Web tamper protection rules JavaScript anti-crawler protection Information leakage prevention rules Data masking rules	Go to the page displaying the hit rule and delete it.
Other	Invalid access requests NOTE: If either of the following cases, WAF blocks the access request as an invalid request: When form-data is used for POST or PUT requests, the number of parameters in a form exceeds 8,192. The URI contains more than 2,048 parameters. The number of headers exceeds 512.	Allow the blocked requests by referring to Configuring a Precise Protection Rule. The Handle as False Alarm button is grayed out for events that are generated against a precise protection rule.

Parent topic: Service Interruption Check

Service Interruption Check FAQs

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot

more