Troubleshoot WAF managed rules (previous version)
By default, WAF managed rules are fully managed via the Cloudflare dashboard and are compatible with most websites and web applications. However, false positives and false negatives may occur:
- False positives: Legitimate requests detected and filtered as malicious.
- False negatives: Malicious requests not filtered.
Troubleshoot false positives
The definition of suspicious content is subjective for each website. For example, PHP code posted to your website is normally suspicious. However, your website may be teaching how to code and it may require PHP code submissions from visitors. In this situation, you should disable related managed rules for this website, since they would interfere with normal website operation.
To test for false positives, set WAF managed rules to Simulate mode. This mode allows you to record the response to possible attacks without challenging or blocking incoming requests. Also, use the Firewall Analytics to determine which managed rules caused false positives.
If you find a false positive, there are several potential resolutions:
- Add the client’s IP addresses to the allowlist: If the browser or client visits from the same IP addresses, allowing is recommended.
- Disable the corresponding managed rule(s): Stops blocking or challenging false positives, but reduces overall site security. A request blocked by Rule ID
981176refers to OWASP rules. Decrease OWASP sensitivity to resolve the issue.
- Bypass WAF managed rules with a firewall rule (deprecated): with the Bypass action to deactivate WAF managed rules for a specific combination of parameters. For example, for a specific URL and a specific IP address or user agent.
- (Not recommended) Disable WAF managed rules for traffic to a URL: Lowers security on the particular URL endpoint. Configured via .
Additional guidelines are as follows:
- If one specific rule causes false positives, set rule’s Mode to Disable rather than turning Off the entire rule Group.
- For false positives with the administrator section of your website, create a to Disable Security for the admin section of your site resources — for example,
Troubleshoot false negatives
To identify false negatives, review the HTTP logs on your origin web server. To reduce false negatives, use the following checklist:
Are WAF managed rules enabled in Security > WAF > Managed rules?
Not all managed rules are enabled by default, so review individual managed rule default actions.
- For example, Cloudflare allows requests with empty user agents by default. To block requests with an empty user agent, change the rule Mode to Block.
- Another example: if you are looking to block unmitigated SQL injection attacks, make sure the relevant SQLi rules are enabled and set to Block under the Cloudflare Specials group.
Are DNS records that serve HTTP traffic proxied through Cloudflare?