Waste of time if you want to know why particular traffic is blocked
Why did that particular IP address get blocked?
This is a question I get asked regularly by management. My usual route to the answer is checking for source ip addresses on abuse lists and then reporting on those.
For the rest of the traffic that gets blocked, I can't correlate the rule id that shows up in a log file with a rule name that's understandable by a human.
Yes, humans do still exist and some of them pay our salaries, so we need to let them know what's blocking (in some cases) legitimate traffic to their websites.
In my view, this is the case across the board when using the AWS WAF solution with managed rule groups. This service is not market ready.
It's all well and good saying there's a shared responsibility model but I've yet to find someone with an easy way to work out what rule blocked their traffic.
Not even F5 support or an AWS support person could tell me how to do this.
Have you enabled Logging? You can run Queries against Athena to find out why it is blocked
You may be interested in this article: https://devcentral.f5.com/articles/f5-rules-for-aws-waf-rule-id-to-attack-type-reference-33105 ''' With the recent addition of logging capabilities of requests that had a match with one of the rule sets, there is now an option to: - See the full request that had a match with the rule ID. - Understand the attack type that relates to the rule ID. - Remove specific rule ID from the rule set in the case it generates false positives. The following CSV maps between rule IDs and attack types, and will help customers of the F5 Rules for AWS WAF products to better manage rule exclusions in their Access Lists. https://devcentral.f5.com/Portals/0/Images/userfiles/7297/awswaf-070119_csv.txt For more details on AWS-WAF logging configuration please visit: https://docs.thinkwithwp.com/waf/latest/developerguide/logging.html '''
Hi Jat B, Thank you for taking the time to write a review. AWS recently introduced additional WAF logging capabilities that may be helpful in providing additional details about the traffic that is being blocked. F5 Networks and AWS are working together to continuously expand the application security offerings available on AWS. If you determine that your application security requirements are beyond the capabilities of the AWS WAF, you may want to consider F5âÂÂs full-featured Advanced WAF. Here are some details on the recently added AWS WAF logging and monitoring features: https://thinkwithwp.com/about-aws/whats-new/2018/08/aws-waf-launches-new-comprehensive-logging-functionality/ https://docs.thinkwithwp.com/waf/latest/developerguide/monitoring_automated_manual.html
Did F5 support mention there is also available a full-featured WAF from F5 for AWS? Here is a video describing it, the video is a bit old, there have been some updates but still useful https://www.youtube.com/watch?v=TGHi_KbZ0t4