Problem description
After a website is added to Web Application Firewall (WAF), an HTTP 405 status code is returned when access requests are sent to a URL that may pose a threat to the website. The HTTP 405 status code indicates that WAF blocks the access requests.
Solution
If an HTTP 405 status code is returned, you can use one of the following methods to query attack details:
- Log on to the Web Application Firewall console. In the left-side navigation pane, click Security Report. On the Web Security tab, click Web Intrusion Prevention. On the Web Intrusion Prevention tab, you can view the records of attacks that are blocked by WAF and obtain the attack details. For more information, see View security reports.
Important On the Security Report page, you can query the details about only attacks that are blocked by Protection Rules Engine.The following figure shows an example of attack details.
- If you have enabled log collection for the domain name of your website, we recommend that you query attack details on the Log Service page. On the Log Service page, you can view the details about attacks that are blocked by all protection features of WAF.
To query the details about an attack, obtain the ID of the attack request from the block page that is returned by WAF. Then, log on to the Web Application Firewall console. In the left-side navigation pane, click Log Service. On the Log Query tab, query logs by using the advanced search feature. For more information, see Query logs.Important The Log Service for WAF feature is a paid feature. You must activate Log Service and enable log collection for a domain name before you can query the logs of the domain name. For more information, see Get started with the Log Service for WAF feature.
If logs show that WAF blocks normal requests, you can use one of the following methods to resolve the issue:
- On the Security Report page, click the Web Security tab. Then, click Web Intrusion Prevention. On the Web Intrusion Prevention tab, find the rules that block normal requests and click Ignore False Positives.
For more information, see View security reports on the Web Security tab.
Important You can click Ignore False Positives only for the built-in protection rules of Protection Rules Engine. If a custom protection rule blocks normal requests, you must delete the rule. For example, if an access control list (ACL) rule or HTTP flood protection rule that you configured in the Custom Protection Policy feature blocks normal requests, you must delete the rule. - On the Website Protection page, configure whitelist rules for different protection features. You can configure custom match conditions and specify the protection features or protection rules whose checks are bypassed when the specified match conditions are met. You can use the URL field to configure a custom match condition.
For more information, see Configure a website whitelist.