Add Exceptions

Use Exceptions when you identify a false-positive or false-negative event. A false-positive is a legitimate request that has been unexpectedly blocked. A false-negative is a non-legitimate request that has been authorized while it shouldn’t have.

With Qualys WAF you can flag an event as a false-positive. To do that, go to Events > Event List, select an event, click on the arrow and select “Mark as False positive”. Bear in mind this is a simple marker, it does not impact traffic processing behavior.

To create an exception, select an event, click on the arrow and select “Create exception” or select this option from the Actions menu when viewing an event.

Create exception option in the Quick Actions menu.

Exceptions are created in the form of custom rules.

Rule creation Exception wizard: exception rule name.

Rule details and conditions for the custom rule are auto populated based on the event. By default, the action for an exception is Allow or Block (the opposite of the original event's action).

Rule creation Exception wizard:  auto populated conditions for the exception rule.

Exceptions once created are linked to the web application. To view them, simply click View in the Quick Actions for a web application, and then click the Security pane.

Deleting an exception from WAF events list does not remove the associated WAF custom rule. You can use the custom rule in the future for similar web applications.