By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Why does my AWS WAF custom rule not work?

3 minute read
0

I created a custom AWS WAF rule, but it doesn't work as expected. I want to troubleshoot the issue.

Resolution

If your custom AWS WAF rule doesn't work as expected, then check the following configurations:

  • Rule priority
  • Text transformation
  • Boolean logic

Rule priority

Check that you configured your custom rule at the correct priority. AWS WAF evaluates rules in numeric order, and then stops at the first rule that has an Allow, Block, or CAPTCHA terminating action. If your custom rule has a higher numeric priority than the terminating rule, then the request isn't evaluated against the custom rule. For more information, see How AWS WAF handles rule and rule group actions in a web ACL.

For example, you create a custom Allow rule to allow a request that an AWS Managed Rules rules group blocked. You must lower the numeric priority of your custom rule so that it's evaluated before the AWS Managed Rules rule group.

You can use the AWS WAF console to update your rule priority. You can also use the UpdateWebACL or UpdateRuleGroup API calls to update your rule priority. Or, Run the update-web-acl or update-rule-group AWS Command Line Interface (AWS CLI) commands.

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Text transformation

If you use text transformations in your custom rule, then check that you correctly implemented them for your use case.

AWS WAF applies the transformation, and then inspects the request. If you specify more than one transformation, then AWS WAF processes them in the order listed. If you use multiple transformations in your custom rule, then you must verify the order of transformation. For more information, see Text transformation options.

For example, you create a custom rule to perform Base64 decode and URL decode for a string in the query. AWS WAF first performs the Base64 decode of query string in the incoming request. Then, AWS WAF performs a URL decode on the resulting string. Finally, AWS WAF inspects the resulting string against the string that you provide in your custom rule configuration.

Boolean logic

If you use logical rule statements, then use Boolean logic to verify that the AND, OR, or NOT logic in your custom rule is correct. 

For example, you create a custom rule that matches requests that have the /test URI and a source IP in IP set X.

Example request 1 has the /test URI (Boolean 1). The request's IP address isn't in IP set X (Boolean 0). Boolean 1 and Boolean 0 result in Boolean 0, so the request doesn't match your custom rule.

Example request 2 has the /test URI (Boolean 1). The request's IP address is in IP set X (Boolean 1). Boolean 1 and Boolean 1 result in Boolean 1, so the request matches your custom rule.

Example request 3 doesn't have the /test URI (Boolean 0). The request's IP address isn't in IP set X (Boolean 0). Boolean 0 and Boolean 0 result in Boolean 0, so the request doesn't match your custom rule.

If the action for the custom rule is Block, then the rule blocks only example request 3.

Related information

Processing order of rules and rule groups in a web ACL

AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago