- 新しい順
- 投票が多い順
- コメントが多い順
該当のIPから接続が来ているというのをAWS WAFのログから確認できますか?(Athenaとかでクエリかけてみてください)
https://docs.aws.amazon.com/ja_jp/waf/latest/developerguide/logging-management-enable.html
https://docs.aws.amazon.com/ja_jp/athena/latest/ug/waf-logs.html
設定jsonを見る限りは問題なさそうに見えるのですが、念のため以下のブログと同じ設定になっているか確認してみてください。
https://iret.media/93123
Based on the information provided, there are several potential reasons why your WAF v2 WebACL and rule might not be working as expected:
-
Rule Priority: The rule you've shown has a priority of 0, which means it should be evaluated first. However, if there are other rules with the same or lower priority that are allowing the traffic, they might be overriding this rule.
-
Default Action: If the WebACL's default action is set to "Allow," and for some reason the rule isn't matching the traffic, the requests would be allowed through.
-
IP Set Configuration: Ensure that the IP addresses in your IP set are correctly formatted and include the proper CIDR notation (/32 for single IPs).
-
Resource Association: Confirm that the WebACL is correctly associated with your ALB. Sometimes, the association might not be active or might have been removed.
-
Rule Action: The rule is set to "Block," which is correct for your intention. However, make sure there isn't a scope-down statement or other condition that might be preventing the rule from matching.
-
Logging and Metrics: Since you mentioned there are no logs in the Sampled Requests, check if logging is properly enabled for your WebACL. Also, verify that CloudWatch metrics are enabled for this rule.
-
ALB Configuration: Ensure that your ALB is configured to forward the correct client IP address to WAF. If you're using an intermediate proxy or CDN, you might need to configure the ALB to use the X-Forwarded-For header.
-
Traffic Source: Double-check that the traffic you're seeing in your other system's logs is actually reaching the ALB and not bypassing it somehow.
To troubleshoot:
- Review all rules in your WebACL and their priorities.
- Check the WebACL's default action.
- Verify the IP set configuration.
- Confirm the WebACL-ALB association.
- Enable full logging for the WebACL if not already done.
- Check CloudWatch metrics for the specific rule and WebACL.
- Review your ALB configuration for proper client IP forwarding.
If the issue persists after checking these points, you may need to capture and analyze network traffic or engage AWS support for more in-depth troubleshooting.
Sources
WebACL - AWS WAFV2
WebACL - AWS WAFV2
Creating and configuring a Web Access Control List (Web ACL) - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced
UpdateWebACL - AWS WAFV2
関連するコンテンツ
- AWS公式更新しました 1年前
- AWS公式更新しました 2年前
- AWS公式更新しました 7ヶ月前
- AWS公式更新しました 6ヶ月前
お世話になっております。 ご連絡ありがとうございます。
アドバイスありがとうございます。
申し訳ありませんでした。 結局ですが他のコリーグがWAFの正規表現パターンでホストベースのIPブロックルールを追加してBLOCKを検知しました。 ”WAFの正規表現パターンでホストベースのIPブロックルール”でベストプラクティス、アドバイスなどありますでしょうか。
ありがとうございます。
よろしくお願い致します。