A website we host uses ShipStation for order fulfilment. The WAF was blocking some of their API requests when the post had XML in the body. The post request triggers quite a lot of rules actually. Because we trust the request and we need the data I added a Firewall rule to whitelist the user agent ShipStation. According to the logs these requests are getting a Challenge page now.
This is the simple rule I’ve set up:
I would show an image of it not working but I’m only allowed to add one. Essentially the event details in the firewall logs show the User Agent to be ShipStation, and the Action Taken to be Challenge.
Any GET requests with that user agent which don’t trigger other WAF rules show up in the event logs as a Firewall Rule with allow as the action taken.
I would expect the rule I created to allow the request. Any advice on how I can make this work?