Jul 4, 2019 · We're using the Application Gateway WAF in prevention mode and it's blocking some of our Mobile App Client requests. I switched the WAF into Detection mode and output the logs to Log Analytics. I can see some information about the requests being made and the WAF being triggered, but can't see which rule was triggered.

Jan 8, 2025 · By referring to MSDoc, it is clearly mentioned that the RequestArgNames & RequestArgValues work in the same way in request attributes under WAF match exclusions as given below. Request attributes by names work the same way as request attributes by values and are included for backward compatibility with CRS 3.1 and earlier versions.

Mar 4, 2024 · In the Azure portal, navigate to your WAF policy. Select Rules engine, then select Custom rules. Select Add. In the Add custom rule page, enter a name for the rule. Under Match conditions, select String; In the match values put the URI path, and set other parameters accordingly; Select Add. Select Save.

To do this in Azure go to the rules in the Web application firewall section. In my case I use OData which was identified by WAF as a vulnerability, the solution was to disable the rule "942360 - Detects concatenated basic SQL injection and SQLLFI attempts" and that's it..

May 20, 2022 · I have an application that was doing call to Azure Application Gateway and it was failing when the following rule was enforced: RuleId: 200003 Description: Multipart Request Body Strict Validation The call was to a PUT endpoint, passing 2 files in the body.

Jun 15, 2023 · To evaluate if these are false positives you'll need to look at several things. An Azure Front Door log entry with the field "ruleName_s" of "Microsoft_DefaultRuleSet-2.0-BLOCKING-EVALUATION-949110" and an "action_s" of "Block" follows one or more log entries with an "action_s" of "AnomalyScoring".

We are using Azure Application Gateway with WAF. We have configured a timeout of 3600 seconds, and we performed the following scenario with Azure WAF and without WAF: With Azure: The application runs ...

Nov 4, 2022 · It is possible to created WAF Exclusion for specific HTTP Header values. I have created the Application gateway WAF policy. I have created the Azure WAF Policy rule for specific example. Click on managed identity in the polices, click on Add exclusions and Click on add rules, search for headers which we have to add rules and click on confirm ...

Feb 5, 2020 · WAF enabled via 'Application Gateway WAF policy' resource (this is a separate resouce) and OWASP 3.2 policy with 'Inspect request body' checked and with value 4000 on 'Max file upload size (MB)': 4GB - but only when your request has the Content-Type set to multipart/form-data, this will recognize it as a file upload (I've tested a bunch of ...

Nov 11, 2024 · Additionally, WAF Exclusion Lists allow you to exempt certain headers from being blocked or inspected, which doesn’t directly act as an "allow list" but enables selective filtering. Check these out for better clarity-Azure Web Application Firewall (WAF) v2 custom rules on Application Gateway | Microsoft Learn