506 error, and not functioning the website behind the WAF

Signs and Symptoms:

Your website has been running smoothly without WAF enabled. However, upon enabling WAF, certain parts of the site either malfunction or fail to load properly.
When attempting to load the website, certain URLs result in an HTTP 506 error.

Recommended Quick Solution:

1. First, identify the address(es) encountering the error. Utilize any of the following methods:
   • Using the browser:
     • This method is applicable only when WAF is active and blocked, not in Detection Only mode.
     • Press the F12 key in your browser to open the Developer Tools section.
     • Select the Network tab.
     • Ensure that the Persist Logs option is selected.
     • Make sure that no filters are applied.
     • Open the page with error or run the scenario that faces the error (e.g., login).
     • Look for pages with HTTP Status 506 (you can filter using the term ‘506,’ but ensure that the Status column has the value of 506).
     • Exclude the addresses of these pages. In this case, skip step two (verifying if it’s a false alert) and proceed directly to step three.
   • Using the panel report:
     • In the panel, open the section of WAF reports , and choose URL type reports.
     • Pages with a high number of matches are likely to be false alerts.
     • Please note that in this method, if during the investigation period a scanner or an attack is carried out on the website, you will see the corresponding logs, and it is essential to remove them from the list.
     • This method is effective in both WAF-enabled and Detection Only modes.
2. Ensure that the WAF detection was a false alert in these cases:
   • Verify that the exceptions you are about to define are not actual attacks, and were the false alerts, resulted from normal system usage.
   • Pay attention to the following signs:
     • Focus on the detections made by known users or those that you can reproduce yourself.
     • Collaborate with someone familiar with the system to review the selected addresses.
     • Additionally, perform the same scenario yourself to check whether it alerts.
     •  Note that an address may be normal and clean, but the detection might be related to content (such as headers or cookies) sent by an attacker. During the investigation, don’t consider the validity of the address; but also investigate the cause of the detection more thoroughly.
3. Exclude the routes using the Page Rule.
   • To do this, follow these steps:
   • Open the Page Rule section in the panel.
   • Create a new rule that matches one or more addresses.
     • the character ‘*’ represents any number of characters except a slash (/).
     • the character ‘**’ represents any number of characters, including a slash (/).
   • In the specified rule, deactivate the WAF status by setting it to OFF.

The Root Cause of the Problem:

The WAF mechanism is designed to detect web-based attacks. Some systems may trigger false alerts due to features which requests are considered suspicious by WAF. Configuring the WAF for proper operation is essential to address these false alerts and ensure its effective functioning.