AWAF false-positive triage
The flip side of the poisoning estimator: relax a genuine Advanced WAF false positive correctly, with scope, and stop before relaxing a real attack. Pick a violation category, its average violation rating, and whether it is enforced, staged, or transparent, and get F5's rating-based verdict and the scoped fix. Runs entirely in your browser.
Security & WAFThe violation you are triaging
Computed in your browser. Nothing is sent.
A deterministic model of F5's documented triage behaviour, not a probe. Read the violation, rating, and enforcement state from the request in Security > Event Logs > Application > Requests. It never contacts a BIG-IP.
Likely a false positive
Not blocking (logged only)If you confirm it is legitimate, apply the scoped fix below (or accept the learning suggestion).
Scoped remediation (if it is a confirmed false positive)
- Disable the specific signature on the specific URL or parameter only, never for the whole policy.
- Add the URL or parameter as an allowed entity so the check is bypassed just there.
- Enable Potential False Positive Detection so the system learns request similarity and treats requests like the majority as benign, flagging outliers.
- Put the signature (back) into staging so it logs but does not block while you gather more traffic.
Keep in mind
- For attack-signature false positives, Potential False Positive Detection is the lightest-touch option: it lets the system decide by traffic similarity instead of you hand-disabling signatures.
- Always scope the fix to the specific URL or parameter. Disabling a signature or violation policy-wide trades one false positive for a blind spot everywhere else.
- The rule that governs all of this: relax the policy only where a false positive actually occurred, never where a real attack caused the violation.
API endpointGEThttps://ronutz.com/api/v1/f5-awaf-false-positive-triageDocumented, not served. Opens the specification.
References
- F5 K70544352: Reducing false positive violations
- F5 BIG-IP ASM/Advanced WAF: Working with Violations (violation rating -> block behaviour; rating 4-5 blocks even with Block off; unlearnable rating-5 set)
- F5 BIG-IP ASM: Refining Security Policies with Learning (accept vs clear by rating; relax only genuine false positives)
- F5 K13050156: Policy tuning and enhancement