WAF Mandatory rule blocking my user register using google or facebook is there any to disable mandatory rule ?

Jerin Joy 26 Reputation points
2021-02-04T16:03:00.74+00:00

{
"timeStamp": "2021-01-29T11:03:40+00:00",
"resourceId": "/SUBSCRIPTIONS/0000000000-0000000-0000000-000/RESOURCEGROUPS/resourcegroup/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WAF-GATEWAY",
"operationName": "ApplicationGatewayFirewall",
"category": "ApplicationGatewayFirewallLog",
"properties": {
"instanceId": "appgw_2",
"clientIp": "103.151.000.00",
"clientPort": "",
"requestUri": "/api/auth-processor/Google",
"ruleSetType": "OWASP_CRS",
"ruleSetVersion": "3.0.0",
"ruleId": "949110",
"message": "Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 28)",
"action": "Blocked",
"site": "Global",
"details": {
"message": "Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. ",
"data": "",
"file": "rules/REQUEST-949-BLOCKING-EVALUATION.conf",
"line": "57"
},
"hostname": "www.googoggo.com",
"transactionId": "9b8a3d7023bf1d90b13660c1b788f05f",
"policyId": "default",
"policyScope": "Global",
"policyScopeName": "Global"
}
}

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
937 questions
Azure Web Application Firewall
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. SaiKishor-MSFT 17,156 Reputation points
    2021-02-05T06:43:05.567+00:00

    @Jerin Joy Mandatory rules cannot be disabled as they are triggered after anomaly score has been reached. However, here are few things that you can do-

    Create Exclusions in order to "bypass" the rule itself -->Web application firewall request size limits and exclusion lists in Azure Application Gateway - Azure portal | Microsoft Learn

    Create custom rules --> https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview

    Custom rules will have higher priority over OWASP rules, so they will be processed first.

    Disable/untick specific rules/ details --> CRS rule groups and rules - Azure Web Application Firewall | Microsoft Learn

    Hope this helps. Please let us know if you still have further questions/concerns and we will be glad to assist further. Thank you!

    ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.


  2. Sergio Rivas 1 Reputation point
    2022-08-31T06:59:31.77+00:00

    Hello,

    I have the same problem with the rule with id 949110. In my case the message is Gretar and Equal to Tx: Inbound_anomaly_score_threshold at TX:anomaly_score.

    236416-image.png

    If I try to see this rule, I don't find it in Waf rules policy and because of that I don't have deactivate that.

    Also I can't create an exclusion rule because "Applies to" only can be on "Global" in my case

    236451-image.png

    and I don't know what is blocking exactly the 949110 to exclude that to exclude with an operator...

    The other alternative is by custom rules but I have the same problem becouse I don't know what's is the rule 949110 is blocking exactly.

    Someone have an idea to deactive that rule o exclude??

    Thank's!


  3. Sergio Rivas 1 Reputation point
    2022-08-31T07:29:54.17+00:00

    Hi jerinjoy-2396,

    Thank's for you help.

    I just have the diagnostic settings enabled like this:

    236419-image.png

    And interesting thing is that in "Web application firewall" when I change from "prevention" to "detection" I show this message "To view your detection logs, you must have diagnostics enabled." but like in the image, diagnostics are enabled.

    236482-image.png

    Someone have idea?


  4. Sergio Rivas 1 Reputation point
    2022-08-31T10:15:12.63+00:00

    Thanks jerinjoy-2396 .

    Now I have more info. The rule that is doing match is 920140 - Multipart request body failed strict validation

    Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM 0, IQ 0, IH 0, FLE 0

    236544-image.png

    What is this validations means? I am doing a put request to upload an image with Content-Type: multipart/form-data

    0 comments No comments