All Products
Search

This Product

    Edge Security Acceleration:Handle WAF false positives and allow trusted IP addresses

    Document Center

    Edge Security Acceleration:Handle WAF false positives and allow trusted IP addresses

    Last Updated:Aug 18, 2025

    Use IP access rules and whitelist rules to safely allow legitimate traffic that has been incorrectly blocked by the Web Application Firewall (WAF). This guide helps you resolve service interruptions while adhering to the security principle of least privilege.

    Why false positives happen and why they matter

    WAF protection works by matching traffic against known attack patterns. In complex applications, legitimate traffic can sometimes contain characteristics that mimic these patterns, leading to a "false positive" where normal requests are blocked.

    Properly managing false positives is essential for a successful WAF deployment. It helps you prevent:

    • Service interruption: Avoid blocking legitimate business flows, such as payments, logins, or content publishing.

    • Operational inefficiency: Reduce time spent troubleshooting and communicating between security and business teams.

    • Poor user experience: Ensure that legitimate users and internal employees are not accidentally blocked.

    • Broken integrations: Allow trusted API calls from partners to proceed without being incorrectly flagged as attacks.

    Procedure

    The solution provided in this topic follows the principle of least privilege. This means only granting the minimum level of access necessary for the service, preventing unnecessary security gaps.

    Whitelist trusted IP addresses

    IP access rules apply to all HTTP (Layer 7) and TCP/UDP (Layer 4) requests for a website and operate at the highest priority among WAF rules. Use IP access rules to allow requests from trusted IP addresses and prevent them from being blocked by other WAF rules.

    Important

    Do not add uncertain or dynamic IP address ranges to the allow list.

    1. In the ESA console, choose Websites, and then click your target website.

    2. Navigate to Security > WAF > IP Access Rule.

    3. For Value, select IP/CIDR Block, and then enter a trusted IP address or IP address range (such as your company's static public IP address, a trusted partner server IP address, or a Bastionhost IP address).

      For Action, select Allow, and then add a description.

      image

    4. Click Create Rule to activate it.

    Create precise exceptions with whitelist rules

    Whitelist rules offer a more granular and secure way to handle false positives. Instead of bypassing all protections, you can create a rule that allows a request with specific characteristics to bypass only certain WAF rules (like managed rules). If a false positive is caused by a request from a dynamic source IP address but the request contains a unique business identifier, you can use a whitelist rule to add a precise exception.

    Example use case

    A partner synchronizes data with your platform by making API calls to the /api/platform endpoint. Their requests always include the header X-Partner-ID: 1305015971 and are being incorrectly blocked by the managed ruleset.

    1. In the ESA console, choose Websites, and then click your target website.

    2. Navigate to Security > WAF > Whitelist Rules.

    3. On the Whitelist Rules tab, click Create Rule. Configure the rule:

      image

      • Rule Name: Allow Partner XX API

      • If requests match...:

        Condition 1: Match Field Header, Header Name x-partner-id, Operator equals, Match Value 1305015971.

        Condition 2: Match Field URI Path, Operator starts with, Match Value /api/platform.

        Select Case-insensitive for both conditions.

      • Then skip...: Select Specific Rule Category/ID, and choose Managed Rules in the dropdown.

    4. Click OK to activate the rule.