What to Do If WAF Is Blocking Legitimate Traffic

Once a website has been tuned and is in Protect mode, the WAF will begin blocking violations. If you notice that the WAF is blocking legitimate traffic (false positive), please contact Alert Logic support so we can assist you with resolving the false positive. If you are testing or just curious about a particular block event, you can track down the Deny Log entry on the WAF.

To track down the Deny Log entry:

  1. When the WAF in Protect mode blocks a request, it will always display a WAF block page. When you see the WAF block page, make a note of the Reference ID.

  2. In the Alert Logic console, click navigation menu () > Configure > WAF, and then click the Appliances tab.
  3. In the item row of your appliance, click the appliance name.
  4. In the Managed WAFconsole, click Websites, and then click the desired website.
  5. On the Websites page, click Log > Deny Log.

  6. On the Deny Log page, click the Filter >> button.

  7. On the Filter page, enter the Reference ID you noted from step in the Ref ID field.

  8. Click Apply on the lower right. The Deny Log list will show only the entry with the matching Reference ID.