# Handle False Positives

A **false positive** occurs when the WAF blocks or flags a legitimate request as malicious.\
This can happen due to aggressive rule patterns or incomplete exceptions.\
Proper handling of false positives helps maintain both **security** and **availability** of your applications.

{% hint style="info" %}
False positives are common during initial WAF configuration.\
Always start in **Monitoring Only** mode to observe behavior before activating full protection.
{% endhint %}

{% stepper %}
{% step %}
Identify False Positives

Use WAF logs and analytics to locate requests that were incorrectly blocked or flagged.

1. Open the [**Medianova Control Panel**](https://cloud.medianova.com).
2. Go to **Analytics → WAF Dashboard**.
3. Review blocked requests and event logs.
4. Look for requests that match normal user or API behavior but are classified as threats.

{% hint style="info" %}
Pay special attention to repetitive blocks from trusted IPs or common API endpoints — they are typical indicators of false positives.
{% endhint %}
{% endstep %}

{% step %}
Analyze Rule Behavior

Determine which rule caused the false detection.\
You can identify the **Rule ID** or **Rule Name** responsible by inspecting the event details in the WAF dashboard.

<table><thead><tr><th width="286">Common Cause</th><th>Example</th></tr></thead><tbody><tr><td>Overly broad request URI match</td><td>Blocking <code>/api/v1/</code> instead of <code>/api/v1/admin</code></td></tr><tr><td>Strict User Agent filtering</td><td>Blocking “curl” used in automated internal scripts</td></tr><tr><td>Missing whitelist entry</td><td>Internal monitoring IPs not excluded</td></tr><tr><td>Outdated rule condition</td><td>Old regex pattern still matching new endpoint</td></tr></tbody></table>

{% hint style="info" %}
Custom Rules take precedence over Managed Rules.\
If both apply, the Custom Rule’s action will execute.
{% endhint %}
{% endstep %}

{% step %}
Adjust Rules or Add Exceptions

After identifying the cause, fine-tune your rules to allow legitimate traffic while keeping protection active.

You can:

* **Modify an existing rule**
  * Adjust the **Field**, **Operator**, or **Value** for more precise matching.
  * Example: Change “contains `/api`” to “equals `/api/admin`”.
* **Change the rule action**
  * Temporarily switch from **Block** to **Log Only** to monitor.
* **Add an exception rule**
  * Allow requests from a specific **IP**, **URI**, or **User Agent**.
* **Whitelist internal services**
  * Add known internal IPs (monitoring tools, API clients) to an allowlist.

{% hint style="info" %}
Apply changes incrementally and review logs after each update to confirm resolution.
{% endhint %}
{% endstep %}

{% step %}
Validate After Adjustments

Once changes are made, monitor the WAF dashboard again:

1. Keep the affected rule in **Log Only** mode for several hours or days.
2. Check if the same requests are still flagged.
3. If no false alerts occur, switch the rule back to **Block** mode.

{% hint style="info" %}
Do not disable Managed Rules globally to avoid temporary false positives.\
Always isolate and fix the specific rule causing the issue.
{% endhint %}
{% endstep %}
{% endstepper %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://clients.medianova.com/products/security/web-application-firewall-waf/handle-false-positives.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.