Clients are often placed on the attack-detection block list due to high failure limits.
Starting with SGOS 6.5.x, any HTTP response with 4XX (except 401 and 407) and 5XX will be considered a failure. This count will be increased for any policy_denied request which is actually an HTTP Response code of 403.
The solution for this is to avoid counting 403 as a failure OR keep a higher failure limit in the attack-detection configuration. The sample policy below bypasses 403 as a failure count.
http.response.code=403 attack_detection.failure_weight(0) ;This rule disables attack detection when the proxy receives a 403 HTTP message from the destination server.
exception.id=policy_denied attack_detection.failure_weight(0) ;This rule
attack detection for the requests where the proxy will send the policy denied exception.
Note: If a user defined exception is being used instead of the default policy denied exception, you must replace the exception id "policy_denied" with the following: "user_defined.exception_name" where exception_name is the name of the desired custom exception.