[WAF] Update managed rules troubleshooting (cloudflare#24670)

---------

Co-authored-by: Jun Lee <[email protected]>

Author: pedrosousa

public/__redirects

@@ -1633,6 +1633,7 @@
 /waf/reference/migration-guides/old-rate-limiting-deprecation/ /waf/reference/legacy/old-rate-limiting/upgrade/ 301
 /waf/reference/migration-guides/waf-managed-rules-migration/ /waf/reference/legacy/old-waf-managed-rules/upgrade/ 301
 /waf/reference/migration-guides/firewall-rules-to-custom-rules/ /waf/reference/legacy/firewall-rules-upgrade/ 301
+/waf/managed-rules/handle-false-positives/ /waf/managed-rules/troubleshooting/ 301
 
 # waiting-room
 /waiting-room/how-to/mobile-traffic/ /waiting-room/how-to/json-response/ 301

src/content/docs/waf/get-started.mdx

@@ -45,7 +45,7 @@ The [Cloudflare Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed
 
 By default, the Cloudflare Managed Ruleset enables only a subset of rules and it is designed to strike a balance between protection and false positives. You can review and enable additional rules based on your application technology stack.
 
-In particular situations, enabling the managed ruleset can cause some false positives. False positives are legitimate requests inadvertently mitigated by the WAF. For information on addressing false positives, refer to [Handle false positives](/waf/managed-rules/handle-false-positives/).
+In particular situations, enabling the managed ruleset can cause some false positives. False positives are legitimate requests inadvertently mitigated by the WAF. For information on addressing false positives, refer to [Troubleshoot managed rules](/waf/managed-rules/troubleshooting/#handle-false-positives).
 
 If you are testing the WAF against pentesting tools, it is recommended that you enable all rules by using the following ruleset configuration:
 
@@ -69,7 +69,6 @@ If you are an Enterprise customer, do the following:
 1. Reach out to your account team to get access to WAF attack score.
 
 2. [Create a custom rule](/waf/custom-rules/create-dashboard/) using the <GlossaryTooltip term="attack score">Attack Score</GlossaryTooltip> field:
-
    - **If incoming requests match**:
 
      | Field            | Operator  | Value |
@@ -89,7 +88,6 @@ Bot score is only available to Enterprise customers with [Bot Management](/bots/
 Customers with access to [Bot Management](/bots/get-started/bot-management/) can block automated traffic (for example, from [bots scraping online content](https://www.cloudflare.com/learning/bots/what-is-content-scraping/)) using a custom rule with bot score, preventing this traffic from hitting your application.
 
 1. [Create a custom rule](/waf/custom-rules/create-dashboard/) using the <GlossaryTooltip term="bot score">Bot Score</GlossaryTooltip> and <GlossaryTooltip term="verified bot">Verified Bot</GlossaryTooltip> fields:
-
    - **If incoming requests match**:
 
      | Field        | Operator  | Value | Logic |

src/content/docs/waf/managed-rules/handle-false-positives.mdx

@@ -0,0 +1,69 @@
+---
+pcx_content_type: troubleshooting
+title: Troubleshoot managed rules
+sidebar:
+  order: 4
+  label: Troubleshooting
+---
+
+import { RuleID } from "~/components";
+
+By default, WAF's managed rulesets are compatible with most websites and web applications. However, false positives and false negatives may occur:
+
+- **False positives**: Legitimate requests detected and mitigated as malicious.
+- **False negatives**: Malicious requests that were not mitigated and reached your origin server.
+
+## Troubleshoot false positives
+
+You can use [Security Events](/waf/analytics/security-events/) to help you identify what caused legitimate requests to get blocked. Add filters and adjust the report duration as needed.
+
+If you encounter a false positive caused by a managed rule, do one of the following:
+
+- **Add an exception**: [Exceptions](/waf/managed-rules/waf-exceptions/) allow you to skip the execution of WAF managed rulesets or some of their rules for certain requests.
+
+- **Adjust the OWASP managed ruleset**: A request blocked by the rule with ID <RuleID id="6179ae15870a4bb7b2d480d4843b323c" /> and description `949110: Inbound Anomaly Score Exceeded` refers to the [Cloudflare OWASP Core Ruleset](/waf/managed-rules/reference/owasp-core-ruleset/). To resolve the issue, [configure the OWASP managed ruleset](/waf/managed-rules/reference/owasp-core-ruleset/configure-dashboard/).
+
+- **Disable the corresponding managed rule(s)**: Create an override to disable specific rules. This may avoid false positives, but you will also reduce the overall site security. Refer to the [dashboard instructions](/waf/managed-rules/deploy-zone-dashboard/#configure-a-managed-ruleset) on configuring a managed ruleset, or to the [API instructions](/ruleset-engine/managed-rulesets/override-managed-ruleset/) on creating an override.
+
+:::note
+If you contact Cloudflare Support to verify whether a WAF managed rule triggers as expected, [provide a HAR file](/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#generate-a-har-file) captured while sending the specific request of concern.
+:::
+
+### Additional recommendations
+
+- If one specific rule causes false positives, disable that specific rule and not the entire ruleset.
+
+- For false positives with the administrator area of your website, add an [exception](/waf/managed-rules/waf-exceptions/) disabling a managed rule for the admin section of your site resources. You can use an expression similar to the following:
+
+  `http.host eq "example.com" and starts_with(http.request.uri.path, "/admin")`
+
+## Troubleshoot false negatives
+
+To identify false negatives, review the HTTP logs on your origin server.
+
+To reduce false negatives, use the following checklist:
+
+- Are DNS records that serve HTTP traffic [proxied through Cloudflare](/dns/proxy-status/)?<br/>
+  Cloudflare only mitigates requests in proxied traffic.
+
+- Have you deployed any of the [WAF managed rulesets](/waf/managed-rules/#available-managed-rulesets) in your zone?<br/>
+  You must [deploy a managed ruleset](/waf/managed-rules/deploy-zone-dashboard/#deploy-a-managed-ruleset) to apply its rules.
+
+- Are Managed Rules being skipped via an [exception](/waf/managed-rules/waf-exceptions/)?<br/>
+  Use [Security Events](/waf/analytics/security-events/) to search for requests being skipped. If necessary, adjust the exception expression so that it matches the attack traffic that should have been blocked.
+
+- Have you enabled any necessary managed rules that are not enabled by default?<br/>
+  Not all rules of WAF managed rulesets are enabled by default, so you should review individual managed rules.
+  - For example, Cloudflare allows requests with empty user agents by default. To block requests with an empty user agent, enable the rule with ID <RuleID id="b57df4f17f7f4ea4b8db33e20a6dbbd3"/> in the Cloudflare Managed Ruleset.
+  - Another example: If you want to block unmitigated SQL injection (SQLi) attacks, make sure the relevant managed rules tagged with `sqli` are enabled in the Cloudflare Managed Ruleset.
+
+  For instructions, refer to [Configure a managed ruleset](/waf/managed-rules/deploy-zone-dashboard/#configure-a-managed-ruleset).
+
+- Is the attack traffic matching a custom rule [skipping all Managed Rules](/waf/custom-rules/skip/)?<br/>
+  If necessary, adjust the custom rule expression so that it does not apply to the attack traffic.
+
+- Is the attack traffic matching an allowed ASN, IP range, or IP address in [IP Access rules](/waf/tools/ip-access-rules/)?<br/>
+  Review your IP Access rules and make sure that any allow rules do not match the attack traffic.
+
+- Is the malicious traffic reaching your origin IP addresses directly, therefore bypassing Cloudflare protection?<br/>
+  Block all traffic except from [Cloudflare's IP addresses](/fundamentals/concepts/cloudflare-ip-addresses/) at your origin server.