Managing False Positives
Case: 9001
Problem Statement
Problem: The protected web application starts witnessing Haltdos WAF HTTP 403 error page for genuine requests.
Solution
Haltdos WAF by default shows built-in HTTP 403 error page when blocking request identified as attack. Sometimes, genuine requests may be blocked because the WAF solution has not been fine-tuned as per the application behavior. To solve this problem, Haltdos provides details of every request blocked by WAF with reason and support whitelisting to prevent genuine requests from getting blocked.
Steps to Solve:
- Copy the reference Id in Haltdos WAF HTTP 403 error page as shown below:
- Go to Incident page to check why WAF dropped the request. Each entry has an incident Id associated with the listed incident. This incident id is the same reference id shown in default Haltdos WAF HTTP 403 error page as shown below:
- After verifying if the incident was a False Positive, click on the gear icon in the matched rule as shown below to fine-tune WAF:
- A pop-up window allows you to create a whitelist rule for the problematic built-in or user-defined rule blocking genuine queries. The whitelist rule can be customized only for the affected page or can be created for the entire web application.
