Back to All Scenarios
PASSEDnetwork / waf_false_positive
WAF False Positive Blocking All Traffic
A WAF rule update on the F5 ASM introduces a false positive that matches a common HTTP header sent by the company's mobile app. All mobile API requests are blocked with 403 Forbidden. 60% of customer traffic comes from the mobile app.
Pattern
FIREWALL_RULE_BLOCK
Severity
CRITICAL
Confidence
95%
Remediation
Auto-Heal
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | FIREWALL_RULE_BLOCK | FIREWALL_RULE_BLOCK | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 19 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Auto-Heal — Corax resolves autonomously |
Scenario Conditions
F5 ASM (Advanced Security Module). WAF policy updated with new signature set. False positive on X-App-Version header. Mobile app sends this header on every request. 60% of traffic is mobile. Blocking mode enabled.
Injected Error Messages (2)
WAF false positive blocking legitimate traffic — F5 ASM firewall rule signature ID 200010847 matching X-App-Version header on all mobile API requests, blocked by policy, 45,000 requests blocked in 30 minutes, WAF block rate: 100% on mobile traffic, ASM policy in blocking mode
Mobile API returning 403 Forbidden to all app users — WAF block on firewall rule matching X-App-Version header, 60% of customer traffic affected, blocked by firewall policy, app store reviews reporting 'server error', mobile revenue stream halted
Neural Engine Root Cause Analysis
The F5 ASM WAF is experiencing a false positive detection where signature ID 200010847 is incorrectly flagging the X-App-Version header in legitimate mobile API requests as malicious. The WAF policy is in blocking mode, causing 100% of mobile traffic (45,000 requests in 30 minutes) to be blocked. This appears to be a signature tuning issue where the WAF rule is too aggressive and needs adjustment or exemption for the specific header pattern used by the mobile application.
Remediation Plan
1. Access F5 ASM policy configuration for LTM-01. 2. Locate signature ID 200010847 and analyze its matching criteria for X-App-Version header. 3. Create a policy exception or whitelist rule for legitimate X-App-Version header patterns from mobile clients. 4. Alternatively, disable signature 200010847 temporarily if immediate relief is needed. 5. Apply the policy changes and verify mobile API traffic is flowing normally. 6. Monitor for 15-30 minutes to ensure no legitimate traffic is blocked while maintaining security posture. 7. Review and tune other related signatures to prevent similar false positives.
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmncjm79b02lcobqe5n91bloc