Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

AWS WAF using a marketplace rule group supplied by F5

My organisation has implemented an AWS WAF to protect our websites from malicious traffic.

As part of the implementation, we decided to use a marketplace rule group supplied by F5.

The URL for the above marketplace rule group is https://aws.amazon.com/marketplace/pp/B077PJGPWH

So now we have the Web Application Firewall implemented with the AWS WAF - Web Exploits Rules by F5 implemented, seeing all traffic and managing it i.e. blocking some, allowing some through.

I have enabled logging on the Web Application Firewall and I can see what traffic has been blocked but I can’t see why.

A small snippet of the log output shows -

"terminatingRule":{"ruleId":"4aad97c8-482a-4686-8c09-c291f8064e1d","action":"BLOCK"},"

But I can’t translate the above ruleId number to a human understandable version of why a particular piece of traffic was blocked.

My management teams are querying blocked traffic and all I can currently tell them is that some traffic was blocked but I don’t know why, because I can’t see what actual rule the ruleId translates to.

How can I provide these answers to my management team? The questions they are asking are completely plausible. Hopefully, someone here can help me with this.

Also, I can't see a way of uploading log file data easily here. Can someone please advice on this too?

I don't see an attachment upload button.

Thank in advance.

Jat

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Please follow the procedure detailed in K21015971: Overview of F5 RuleGroups for AWS WAF

Reporting false positives on DevCentral

With full request logging you can now report on a rule that generates too many false positives. To report false positives, complete the following:

  • Log three to five requests that the rule has flagged as malicious requests.
  • Make sure that the requests do not contain any sensitive information; if they do, please mask the sensitive data with ****.
  • Attach the requests to a message (Ask a Question) on the DevCentral Answers forum.
0