False positives are complex to handle on the LoadMaster. The WAF Rule Tuning functionality in LoadMaster 360 allows you to easily create rule exclusions which you can then upload to the LoadMaster.

The False positive activity table in the WAF Rule Tuning page displays the:

  • Timestamp of the request

  • Client IP address

  • Originating Country that the request came from. Private IP is displayed for requests that come from a private IP address.

  • Status code of the request (this is the response back from the LoadMaster/WAF engine)

  • Anomaly Score

  • Related Application (you can click the application name to get to the application details page)

  • Virtual Service IP address

The Parsed Log Message section provides detailed information for the selected false positive event.

The Input section displays the raw log information for the false positive event. These messages are in the standard ModSecurity log format and contains the anomaly score, the warning message, the attack state, and the paranoia level.

Configure rule exclusions

To configure a rule exclusion, follow these steps:
  1. Select the relevant false positive result in the table.
  2. Select either By Id or By Tag.
    Note: If you select By Id there is a chance it could affect other users. Selecting By Tag is more specific.
  3. Select the Rule exclusion type. For further details on what option to choose, refer to the following topic: Resolving false positives with rule exclusions.
  4. If needed, enter the Runtime Rule ID and select a value from the Generate rule tag drop-down list.
  5. Enable or disable the Metadata check box.
  6. Click Copy to Clipboard to copy the Result text.
  7. Open a text editor, such as Notepad.
  8. Paste the Result text.
  9. Save the file with a .conf extension.
  10. Open the LoadMaster UI.
  11. Go to Web Application Firewall > Custom Rules.
  12. Click Choose File under the WAF Custom Rules section.
  13. Browse to and select the .conf file you created
  14. Click Add Ruleset.
  15. Go to Virtual Services > View/Modify Services > Modify > WAF.
  16. Select the check box next to the rule you uploaded under the Custom Rules section in the Manage Rules field and click Apply.

For further details, refer to the following blog post: False Positive Handling on LoadMaster.