Why does my AWS WAF custom rule not work?

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

If your custom AWS WAF rule doesn't work as expected, then check the following configurations.

Rule priority

Check that you configured your custom rule at the correct priority. AWS WAF evaluates rules in numeric order and then stops at the first rule that has an Allow, Block, or CAPTCHA terminating action. If your custom rule has a higher numeric priority than the terminating rule, then AWS WAF doesn’t evaluate the request against the custom rule. For more information, see How AWS WAF handles rule and rule group actions in a web ACL.

To check which rule terminates the request, review the WAF logs or sampled requests. Check the terminatingRuleId field in the log entries to see the exact rule that matched and stopped further evaluation. For more information, see the Use the AWS WAF logs section in Why does AWS WAF block my request or respond with a 403 Forbidden error?

For example, you create a custom Allow rule to allow a request that an AWS Managed Rules rules group blocked. You must lower the numeric priority of your custom rule so that it's evaluated before the AWS Managed Rules rule group.

You can use the AWS WAF console to update your rule priority. You can also use the UpdateWebACL or UpdateRuleGroup API calls to update your rule priority. Or, you can run the update-web-acl or update-rule-group AWS CLI commands.

Text transformation

If you use text transformations in your custom rule, then check that you correctly implemented them for your use case.

AWS WAF applies the transformation and then inspects the request. If you specify more than one transformation, then AWS WAF processes them in the order listed. If you use multiple transformations in your custom rule, then you must verify the order of transformation. For more information, see Using text transformations in AWS WAF.

For example, you create a custom rule to perform Base64 decode and URL decode for a string in the query. AWS WAF first performs the Base64 decode of query string on the inbound request. Then, AWS WAF performs a URL decode on the resulting string. Finally, AWS WAF inspects the resulting string against the string that you provide in your custom rule configuration.

Boolean logic

If you use logical rule statements, then use Boolean logic to verify that the AND, OR, or NOT logic in your custom rule is correct.

For example, you create a custom rule that matches requests that have the /test URI and a source IP address in IP set X.

Example request 1 has the /test URI (Boolean 1). The request's IP address isn't in IP set X (Boolean 0). Boolean 1 and Boolean 0 result in Boolean 0, so the request doesn't match your custom rule.

Example request 2 has the /test URI (Boolean 1). The request's IP address is in IP set X (Boolean 1). Boolean 1 and Boolean 1 result in Boolean 1, so the request matches your custom rule.

Example request 3 doesn't have the /test URI (Boolean 0). The request's IP address isn't in IP set X (Boolean 0). Boolean 0 and Boolean 0 result in Boolean 0, so the request doesn't match your custom rule.

If the action for the custom rule is Block, then the rule blocks only example request 2.

Related information

Processing order of rules and rule groups in a web ACL