Troubleshoot Web Application Firewall integration issues - Amazon Transfer Family
Troubleshoot WAF blocking legitimate trafficTroubleshoot WAF integration with custom identity providers
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshoot Web Application Firewall integration issues

This section describes possible solutions for issues related to integrating Amazon WAF with Transfer Family.

Troubleshoot WAF blocking legitimate traffic

Description

After configuring Amazon WAF with your Transfer Family endpoint, legitimate users are unable to connect or experience intermittent connection failures. You may see HTTP 403 (Forbidden) responses in your logs.

Cause

Your Amazon WAF rules may be too restrictive or incorrectly configured, causing false positives that block legitimate traffic. Common causes include:

  • IP-based rules that inadvertently block corporate networks or VPNs

  • Rate-based rules with thresholds that are too low for your normal traffic patterns

  • Managed rule groups that are overly aggressive for your use case

Solution

To resolve false positive issues:

  1. Enable Amazon WAF logging to identify which rules are triggering the blocks. For instructions, see Logging Amazon WAF web ACL traffic.

  2. Review your logs to identify patterns in the blocked requests.

  3. Adjust your rules by:

    • Adding IP addresses or ranges to an allowlist

    • Increasing rate limits for rate-based rules

    • Setting specific rules to Count mode instead of Block mode to monitor without blocking

    • Creating exceptions for specific rules using rule group exclusions

  4. Test the updated configuration with a representative sample of legitimate traffic before fully deploying.

Troubleshoot WAF integration with custom identity providers

Description

After configuring Amazon WAF with your Transfer Family server that uses a custom identity provider, authentication fails or users experience intermittent authentication issues.

Cause

When using a custom identity provider with API Gateway, Amazon WAF rules may interfere with the API calls between Transfer Family and your identity provider. This can happen because Amazon WAF is inspecting and potentially blocking the API traffic based on its rule sets.

Solution

To resolve issues with Amazon WAF and custom identity providers:

  • Ensure that your Amazon WAF configuration includes exceptions for the API Gateway endpoints used by your custom identity provider.

  • Add the Transfer Family service principal (transfer.amazonaws.com) to an allowlist in your Amazon WAF rules.

  • If using managed rule groups, review them for rules that might affect API authentication flows and consider disabling those specific rules.

  • Test your identity provider directly using the TestIdentityProvider API operation to verify it works correctly without Amazon WAF interference.