Ability to report false positive blocks

I tried the new "Malicious JA4 Fingerprint" feature. I found the false positive rate to be high. It blocks some requests from my local network that I know are not attacks. I would like to report the false positive logs that I notice with this new feature and other types of attacks. It would be nice to have a button in the Safeline web interface where we can report a false positive when reviewing an attack log or a blocking rule log.

Thank you for your suggestion — I’ve already passed it along to our product team.

Regarding the FP you found, could you share the specific JA4 fingerprints that were mistakenly blocked? This would help us investigate further

I am not an expert on JA4. Maybe there is a vulnerability or something similar in our users or services. However, I would appreciate it if you could take a look at the following:

t13d180800_4b22cbed5bed_7af1ed941c26

t13d1314h2_f57a46bbacb6_e42f34c56612

t13d1314h1_f57a46bbacb6_14788d8d241b

Those JA4 fingerprints are known to be associated with bot clients, such as Twitterbot and Facebook Bot.

Could you please clarify which clients are currently being mistakenly intercepted?

For detailed information about these JA4 fingerprints, you can search at https://intelligence.app.safepoint.cloud.

When I looked deeper into the network traffic, I found that a web-view request made through our iOS mobile app was causing this. The same website is not getting blocked by JA4 on mobile/desktop browsers or on android version of the app . When I spoke to the developers, they said that they use a special user-agent for iOS and that might be the cause. They will be making an update to fix this.

Thanks for your help.

Thank you for the kind words! I'm delighted I could help. Don't hesitate to contact me in the future.

You can now set up custom rules for JA4 fingerprint in v9.2.0.
If you want to exclude a fingerprint to access normally, you can set up a deny rule like this

Good news, thank you.