How Do I Handle False Alarms as WAF Blocks Normal Requests to My Website?
Once an attack hits a WAF rule, WAF will respond to the attack immediately according to the protective action (Log only or Block) you configured for the rule and display an event on the Events page.
If a large number of false alarms are reported for a specific service, handle them on the Events page. To do so, you can ignore the specific URL and rule ID. Then, WAF will no longer block the same type of request to the URL.
In the row containing the false alarm event, click Details in the Operation column and view the event details. If you are sure that the event is a false positive, handle it as a false alarm by referring to Table 1. After an event is handled as a false alarm, WAF stops blocking corresponding type of event. No such type of event will be displayed on the Events page and you will no longer receive alarm notifications accordingly.
Type of Hit Rule |
Hit Rule |
Handling Method |
---|---|---|
WAF built-in protection rules |
|
In the row containing the attack event, click Handle False Alarm in the Operation column. For details, see Handling False Alarms. |
Custom protection rules |
|
Go to the page displaying the hit rule and delete it. |
Other |
Invalid access requests
NOTE:
If either of the following cases, WAF blocks the access request as an invalid request:
|
Allow the blocked requests by referring to Configuring a Precise Protection Rule. The Handle False Alarm button for invalid access events are grayed out as such events are generated against a precise protection rule. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot