Handle False Positives

Learn how to identify, analyze, and minimize false positives in the Web Application Firewall (WAF) to ensure accurate protection without disrupting legitimate traffic.

A false positive occurs when the WAF blocks or flags a legitimate request as malicious. This can happen due to aggressive rule patterns or incomplete exceptions. Proper handling of false positives helps maintain both security and availability of your applications.

False positives are common during initial WAF configuration. Always start in Monitoring Only mode to observe behavior before activating full protection.

Identify False Positives

Use WAF logs and analytics to locate requests that were incorrectly blocked or flagged.

Open the Medianova Control Panel.
Go to Analytics → WAF Dashboard.
Review blocked requests and event logs.
Look for requests that match normal user or API behavior but are classified as threats.

Pay special attention to repetitive blocks from trusted IPs or common API endpoints — they are typical indicators of false positives.

Analyze Rule Behavior

Determine which rule caused the false detection. You can identify the Rule ID or Rule Name responsible by inspecting the event details in the WAF dashboard.

Common Cause

Example

Overly broad request URI match

Blocking /api/v1/ instead of /api/v1/admin

Strict User Agent filtering

Blocking “curl” used in automated internal scripts

Missing whitelist entry

Internal monitoring IPs not excluded

Outdated rule condition

Old regex pattern still matching new endpoint

Custom Rules take precedence over Managed Rules. If both apply, the Custom Rule’s action will execute.

Adjust Rules or Add Exceptions

After identifying the cause, fine-tune your rules to allow legitimate traffic while keeping protection active.

You can:

Modify an existing rule
- Adjust the Field, Operator, or Value for more precise matching.
- Example: Change “contains /api” to “equals /api/admin”.
Change the rule action
- Temporarily switch from Block to Log Only to monitor.
Add an exception rule
- Allow requests from a specific IP, URI, or User Agent.
Whitelist internal services
- Add known internal IPs (monitoring tools, API clients) to an allowlist.

Apply changes incrementally and review logs after each update to confirm resolution.

Validate After Adjustments

Once changes are made, monitor the WAF dashboard again:

Keep the affected rule in Log Only mode for several hours or days.
Check if the same requests are still flagged.
If no false alerts occur, switch the rule back to Block mode.

Do not disable Managed Rules globally to avoid temporary false positives. Always isolate and fix the specific rule causing the issue.

PreviousManage Rules & Actions NextWAF Analytics

Last updated 3 months ago

Was this helpful?