|
Fortinet AWSWAF managed rules on AWS WAF v2 and are updated usually once in a couple of months depending on the new signatures identified. If the user subscribed to get notified when these updates are pushed, an email stating that 'Update has been applied to Fortinet [OWASP Top 10] Default today' will be received.
In some cases, after the update has been pushed, users tend to notice blocks that have not been observed before as the rules are usually applied strictly to protect critical information. To determine if these new blocks are legitimate or false positives, it is possible to reach out to AWS WAF support via email using awswaf@fortinet.com.
These blocks can be seen in the AWS log and report feature:
Logging and monitoring in AWS WAF
This team determines if the traffic being blocked is harmful or not, and if the block is caused due to a false positive, it is possible to share a HAR capture file from the browser. The block caused due AWS WAF managed rules usually has a return code 403.
It is also expected to share the AWS log or at least identify the name of the rule that caused the block so that the team can check accordingly.
If these false positives are causing severe business impact, create a scope-down statement for the time being until the team can check the information and HAR capture file and make adjustments if need be.
Refer to the attached document for steps to collect the desired capture file.
Note:
All customers are recommended to use v2 of the Fortinet AWS WAF managed rules since it is more dynamic compared to the previous version.
Related article:
Technical Tip: Deploying Fortinet AWS WAF Partner Rule Group V2
|
