How to Identify Problematic WAF Rule IDs in cPFence?

New! You can now use an automatic tracking tool to identify problematic WAF rules in real time. Instead of manually monitoring logs, cPFence now provides a built-in WAF troubleshooting helper tool. This allows you to track WAF logs live and receive instant recommendations on how to fix any 403 errors caused by blocked requests.

Using the cPFence WAF Tracking & Troubleshooting Tool

To use the automatic WAF troubleshooting tool, run the following command:

cpfence --debug-domain-waf

You will be prompted to enter your domain name. Once entered, the tool will begin monitoring the WAF logs for that specific domain in real time.

Example Output:

============================================================
cPFence WAF Tracking and Troubleshooting Helper Tool
============================================================
Enter your domain name: example.com
Now tracking WAF logs for domain: example.com
To generate logs, open your browser and navigate to the page that triggers the 403 error.
Once the error occurs, check the output here for the detected WAF rules and suggestions.
============================================================
Press Ctrl+C to stop tracking at any time.
New WAF Log Entry Detected:
2025-03-09 02:22:21.747892 [INFO] [3559812] [172.69.151.90:12502:HTTP2-1#example.com] [Module:mod_security]Log Message: [client 167.235.252.84] ModSecurity: Access denied with code 403 (phase 2). detected XSS using libinjection. [id "941100"] [msg "XSS Attack Detected via libinjection"]
WAF rule ID: 941100
Affected URL: /
Is this URL related to your issue? If yes, use the commands below. If unsure, contact support.
Recommended actions:
   Disable rule 941100 for domain 'example.com' (Recommended):
    cpfence --disable-waf-domain-byid example.com 941100
   Disable this rule server-wide (only if necessary):
    cpfence --disable-waf-rule 941100
============================================================
Tracking WAF logs...to exit use Ctrl+C

Why Use This Tool?

  • No need to manually search logs—this tool automatically detects blocked requests and extracts the WAF rule ID.
  • It provides instant recommendations on how to fix the issue, helping you decide whether to disable the rule for the domain or server-wide.
  • It reduces troubleshooting time by allowing you to test and verify changes in real time.

Alternative: Identifying WAF Rule IDs Manually

When your website encounters a WAF-related error (typically a 403 Forbidden error), you may need to identify the specific WAF rule ID that is causing the issue. This guide will help you track down the problematic rule using the security audit log.

4 Easy Steps to Identify the Rule ID :

  1. Tail the Security Audit Log

    To begin, you'll need to monitor the security audit log file to observe any new WAF-related entries. Depending on your server setup, use the following commands:

      • For LiteSpeed or OpenLiteSpeed servers:
    tail -f /usr/local/lsws/logs/security_audit.log
  2. Clear the Terminal

    Once you’ve started tailing the log, press Enter a few times to clear the terminal screen. This will help you more easily observe the new entries that appear.

  3. Trigger the WAF Error

    Next, visit the URL that is generating the WAF error (typically a 403 Forbidden message). If the URL is part of an admin area (such as WordPress), you may need to ask your client to provide login credentials so you can access the page.

  4. Observe the Log for the Rule ID

    After triggering the error, return to the terminal window. The log will update with a new entry showing the details of the blocked request, including the problematic WAF rule ID.

Example log entry:

[client 192.168.1.1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Within' with parameter..." [id "200007"] [severity "CRITICAL"]​

TIP: Repeat to Confirm the Correct Rule

It is recommended to repeat this process 2 or 3 times to ensure you’ve identified the correct rule ID. On busy servers, the log may be very active, and unrelated entries could appear.

By following these steps, you should be able to identify the problematic WAF rule ID and adjust your configuration accordingly. Check the whitelisting guide for more info. If you need further assistance or clarification, don’t hesitate to reach out to support.

Need Further Assistance?

If you encounter any issues or need additional help, feel free to reach out to our support team via your client portal.

  • 2 کاربر این را مفید یافتند
آیا این پاسخ به شما کمک کرد؟

مقالات مربوطه

How to Enable / Disable WAF Rule by ID ?

This guide provides instructions for enabling and disabling specific WAF rules in cPFence for...

How to Enable / Disable WAF?

This guide provides simple instructions for enabling and disabling the Web Application Firewall...

How to Block or Whitelist Certain User Agents ?

This guide will help you block or whitelist specific user agents in cPFence. You can manage these...

How to Stop XML-RPC Attacks Server-Wide Using the cPFence WAF?

Important Note: Recommended Method to Block XML-RPC We’ve introduced a new and improved method...

How Does cPFence Handle Bots? Customize Your Bot Protection

cPFence currently detects and blocks over 1000 different bots, helping to reduce server load and...