Getting started with blocked request query - Web Application Firewall

After you add web services to Web Application Firewall (WAF), you can enter request IDs on the Blocked Request Query page to view the blocking details of the requests. If a normal request is blocked, you can configure the whitelist to allow the request or optimize related protection rules.

Prerequisites

A WAF 3.0 instance is purchased.
For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF 3.0 as protected objects.
For more information, see Configure protected objects and protected object groups.
Protection rules are configured for protected objects.
By default, the Basic Protection Rule module is enabled. You do not need to configure protection rules for the module. To enable other protection modules, you must configure protection rules for the modules. For more information, see Protection configuration overview.

Query blocked requests

Note

You can query and handle blocked requests only if your domain name is added to WAF in CNAME record mode.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Detection and Response > Blocked Request Query.
On the Blocked Request Query page, enter the ID of your blocked request in the Blocked Request Query field and click Query Now.
View query results.
Note
A request ID is up to 30 characters in length and contains digits from the 8th bit to the 18th bit.
1. Protection Module: the protection module that blocks the request. For more information, see Protection configuration overview.
2. Rule ID: the ID of the rule that blocks the request. You can search for the rule based on the rule ID and view the match details on the Protection Configuration > Basic Web Protection page.
  Important
  - You cannot search for the protection rules of the basic protection rule module by Rule ID on the Basic Web Protection page. You can query the rules on the Security Reports or Log Service page.
  - If a rule blocks normal traffic, you can configure the whitelist for the rule. For more information, see Configure protection rules for the whitelist module to allow specific requests.

References

For more information about the configuration procedures and details of all protection rules in WAF 3.0, see Basic web protection.
For more information about how to view the protection records generated based on the protection rules of different protection modules in WAF for security analysis, see Security reports.