Best practices for using custom rule groups to provide enhanced protection - Website Protection Settings| Alibaba Cloud Documentation Center

If you find that RegEx Protection Engine of WAF blocks normal requests to your website, you can customize protection rule groups to avoid this issue.

Prerequisites

A WAF instance is purchased. The instance must meet the following requirements:
- The instance is billed on a subscription basis.
- If the instance is deployed in mainland China, the instance must be of the Business edition or higher.
- If the instance is deployed outside mainland China, the instance must be of the Enterprise edition or higher.
For more information, see Purchase a WAF instance.
Your website is added to WAF. For more information, see Add websites.

Background information

To address this issue, you must identify the protection rule that causes the issue, create a custom rule group for the affected domain name, and then remove the protection rule from the custom rule group.

Procedure

Log on to the Web Application Firewall console.
In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
In the left-side navigation pane, click Security report.
Identify the ID of the protection rule that causes false positives.
1. On the Web Security tab, click Web Intrusion Prevention, select the target domain name, and select Regular Protection in the lower part of the page to view attack records.
2. In the attack record list, find the false positive record and record the rule ID. You can search for the record by using the attack IP address.
In the left-side navigation pane, choose System Management > Protection Rule Group.
Create a custom rule group and remove the protection rule from the rule group.
1. In the rule group list on the Web Application Protection tab, find the rule group that applies to the affected domain name.
  
  Note To find the rule group, search for the affected domain name in the Website column.
2. Click Copy in the Action column. Assume that the Medium rule group causes the issue.
3. On the Copy Rule Group page, modify Rule Group Name, turn on Automatic Update, and click Save. You can change the rule group name to medium rule group-remove false positive rule.
  After you copy the rule group, you can view it in the rule group list.
4. Find the rule group that you copy and click Edit in the Action column.
5. On the Edit Rule Group page, search for the rule that causes false positives by using the rule ID, select the rule, and then click Remove Selected Rules.
  
  Note Before you remove a protection rule from a custom rule group, make sure that you select the exact rule that blocks normal requests.
6. Click Save.
Apply the custom rule group to your website.
1. Find the rule group that you copy and click Apply to Website in the Action column.
2. On the Apply to Website page, add the affected domain name to the Websites Added to WAF section and click Save.
After you apply the custom rule group, you can go to the Website Protection page and view the RegEx Protection Engine settings. The Protection Rule Group changes to the custom rule group that you apply. For more information, see Configure the protection rules engine.
When the website receives the same access requests again, WAF does not block the requests.

Note If the requests are still blocked, make sure you identify the correct ID of the protection rule that causes false positives and remove this rule from the custom rule group.