How to Identify Problematic WAF Rule IDs in cPFence?

When your website encounters a WAF-related error (typically a 403 Forbidden error), you may need to identify the specific WAF rule ID that is causing the issue. This guide will help you track down the problematic rule using the security audit log.

 

4 Easy Steps to Identify the Rule ID :

 

    1. Tail the Security Audit Log To begin, you'll need to monitor the security audit log file to observe any new WAF-related entries. Depending on your server setup, use the following commands:

      • For LiteSpeed servers:

        docker exec litespeed tail -f /usr/local/lsws/logs/security_audit.log
        

         

      •  For OpenLiteSpeed servers:

        docker exec openlitespeed tail -f /usr/local/lsws/logs/security_audit.log

         

    2. Clear the Terminal Once you’ve started tailing the log, press Enter a few times to clear the terminal screen. This will help you more easily observe the new entries that appear.

    3. Trigger the WAF Error Next, visit the URL that is generating the WAF error (typically a 403 Forbidden message). If the URL is part of an admin area (such as WordPress), you may need to ask your client to provide login credentials so you can access the page.

    4. Observe the Log for the Rule ID After triggering the error, return to the terminal window. The log will update with a new entry showing the details of the blocked request, including the problematic WAF rule ID.

Example log entry:

[client 192.168.1.1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Within' with parameter..." [id "200007"] [severity "CRITICAL"]​

TIP: Repeat to Confirm the Correct Rule It is recommended to repeat this process 2 or 3 times to ensure you’ve identified the correct rule ID. On busy servers, the log may be very active, and unrelated entries could appear.

 

By following these steps, you should be able to identify the problematic WAF rule ID and adjust your configuration accordingly. Check the whitelisting guide for more info. If you need further assistance or clarification, don’t hesitate to reach out to support.

 

 

  • 0 brukere syntes dette svaret var til hjelp
Var dette svaret til hjelp?

Relaterte artikler

How to Enable / Disable WAF Rule by ID ?

This guide provides instructions for enabling and disabling specific WAF rules in cPFence for...

How to Enable / Disable WAF?

This guide provides simple instructions for enabling and disabling the Web Application Firewall...

How to Block or Whitelist Certain User Agents ?

This guide will help you block or whitelist specific user agents in cPFence. You can manage these...

Whitelisting and Managing WAF Rules in cPFence

To manage the OpenLiteSpeed (OLS)/LiteSpeed (LS) Web Application Firewall (WAF) through cPFence,...

How to Use the cPFence WAF Testing Tool ?

To manually test the WAF (Web Application Firewall) on your WordPress site, you can trigger...