Knowledge Base / WebOrion™ Protector/What are WAF false positives?

What are WAF false positives?

The WebOrion™ Protector consists of a web application firewall (WAF). This helps to keep your websites protected from malicious attacks by attackers around the world.



A quick look into how WAFs work

How the WAF works is that it analyses all requests that go to your web server by sitting in between all your visitors from the Internet and your web server. It detects any potentially suspicious or malicious content in the request, that may be used to attack or infiltrate web applications, such as SQL injections, cross-site scripting or file inclusions. The WAF uses a comprehensive collection of rules to make a decision if the request is malicious or not.

Most of the time, these rules correctly identify a real attack attempt, and successfully blocks the request – this is called a true positive. However, there are some cases in which false positives can occur, when the WAF incorrectly blocks a real user from accessing a website normally.


How can I mitigate false positives?

Here at WebOrion™, we have been consistently testing and optimising the WebOrion™ Protector WAF to help you find that balance between high security, as well as minimal false positives and disruptions. We are confident that the WAF works for most customers right from day one when you first start using it, so that we can start protecting you without any disruptions to your daily operations.

However, there will always be cases where this may not be always true. Depending on how your web application is developed, certain legitimate requests may be incorrectly identified as looking like a malicious one, causing these requests to be blocked.

To mitigate this, we have put in place many different controls for you, as a user, to put your security into your own hands without that much of a hassle.


Adjust the Overall Security Level

You may adjust the sensitivity of the WebOrion™ Protector WAF by slightly decreasing the Overall WAF Security Level. This means that only the more suspicious requests will be blocked, while allowing more requests to go through the WAF.

For more information, please refer to this article.


Adjust the Security Paranoia Level

You may also adjust the Security Paranoia Level of the WebOrion™ Protector WAF. By reducing the level, you will be disabling some rules that are less likely to be malicious. The rules have been grouped into various levels accordingly.

For more information, please refer to this article.


Whitelist your IP address and/or URLs

If only you are encountering issues as a sole administrator of the website, you may wish to whitelist your IP address from the WebOrion™ Protector WAF entirely. This will ensure that none of the requests originating from IP address are able to block you from accessing your website.

For more information, please refer to this article.


Putting the WAF to Passthrough Mode

By putting your website into Passthrough Mode, you are essentially disabling the blocking capabilities of the WebOrion™ Protector WAF. We do not recommend this approach unless absolutely necessary.

For more information about WAF operating modes, please refer to this article.

Was this helpful?

Vote DownVote Up (No Ratings Yet)