Bot Control example: Creating an exception for a blocked user agent
If traffic from some non-browser user agents is being erroneously blocked, you can create an
exception by setting the offending Amazon WAF Bot Control rule
SignalNonBrowserUserAgent
to Count and then combining the rule's
labeling with your exception criteria.
Note
Mobile apps typically have non-browser user agents, which the
SignalNonBrowserUserAgent
rule blocks by default.
The following rule uses the Bot Control managed rule group but overrides the rule action for
SignalNonBrowserUserAgent
to Count. The signal rule applies its labels as usual to matching
requests, but only counts them instead of performing its usual action of block.
{ "Name": "AWS-AWSBotControl-Example", "Priority": 5, "Statement": { "ManagedRuleGroupStatement": { "VendorName": "AWS", "Name": "
AWSManagedRulesBotControlRuleSet
", "ManagedRuleGroupConfigs": [ { "AWSManagedRulesBotControlRuleSet": { "InspectionLevel": "COMMON" } } ], "RuleActionOverrides": [ { "ActionToUse": { "Count": {} }, "Name": "SignalNonBrowserUserAgent" } ], "ExcludedRules": [] } }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "AWS-AWSBotControl-Example" } }
The following rule matches against the signal label that the Bot Control
SignalNonBrowserUserAgent
rule adds to its matching web requests.
Among the signal requests, this rule blocks all but those that have the user agent
that we want to allow.
The following rule must run after the preceding Bot Control managed rule group in the web ACL processing order.
{ "Name": "match_rule", "Statement": { "AndStatement": { "Statements": [ { "LabelMatchStatement": { "Scope": "LABEL", "Key": "awswaf:managed:aws:bot-control:signal:non_browser_user_agent" } }, { "NotStatement": { "Statement": { "ByteMatchStatement": { "FieldToMatch": { "SingleHeader": { "Name": "user-agent" } }, "PositionalConstraint": "EXACTLY", "SearchString": "PostmanRuntime/7.29.2", "TextTransformations": [ { "Priority": 0, "Type": "NONE" } ] } } } } ] } }, "RuleLabels": [], "Action": { "Block": {} }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "match_rule" } }