Mitigating false-positive scenarios

As a best practice, before using a rule group in production, run the managed rule group in alert mode if you're using an intrusion detection system (IDS), or in drop mode if you use an intrusion prevention system (IPS) in a non-production environment. Running a managed rule group in either alert mode or drop mode allows you to do a dry-run with alert logs that show you what the resulting behavior would look like before you commit to making changes to your traffic. Evaluate the rule group using Network Firewall logs. When you're satisfied that the rule group does what you want it to do, disable test mode on the group.

Mitigating false-positive scenarios

If you are encountering false-positive scenarios with AWS managed rule groups, perform the following steps:

In the firewall policy's AWS managed rule group settings in the Network Firewall console, override the actions in the rules of the rule groups by enabling Run in alert mode. This stops them from blocking legitimate traffic.
Use Network Firewall logs to identify which AWS managed rule group is triggering the false positive.
In the AWS Network Firewall console, edit the firewall policy, and locate the AWS managed rule group that you've identified. Then, disable Run in alert mode for the rules that aren't causing the false positive, and leave the rule group that is causing the false positive in alert mode.

For more information about a rule in an AWS managed rule group, contact the AWS Support Center.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Getting notified of updates to a threat signature rule group

Managed rule group list