Mitigating false-positive scenarios - Amazon Network Firewall
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Mitigating false-positive scenarios

As a best practice, before using a rule group in production, run the managed rule group in alert mode if you're using an intrusion detection system (IDS), or in drop mode if you use an intrusion prevention system (IPS) in a non-production environment. Running a managed rule group in either alert mode or drop mode allows you to do a dry-run with alert logs that show you what the resulting behavior would look like before you commit to making changes to your traffic. Evaluate the rule group using Network Firewall logs. When you're satisfied that the rule group does what you want it to do, disable test mode on the group.

Mitigating false-positive scenarios

If you are encountering false-positive scenarios with Amazon managed rule groups, perform the following steps:

  1. In the firewall policy's Amazon managed rule group settings in the Network Firewall console, override the actions in the rules of the rule groups by enabling Run in alert mode. This stops them from blocking legitimate traffic.

  2. Use Network Firewall logs to identify which Amazon managed rule group is triggering the false positive.

  3. In the Amazon Network Firewall console, edit the firewall policy, and locate the Amazon managed rule group that you've identified. Then, disable Run in alert mode for the rules that aren't causing the false positive, and leave the rule group that is causing the false positive in alert mode.

For more information about a rule in an Amazon managed rule group, contact the Amazon Web Services Support Center.