This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 90%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
requests blocked by the WAF are being forwarded to the backend API servers. How do you configure the backend pool or WAF to drop requests that are blocked by the WAF.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 59%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
I hade the same problem, it was resolved by adding a HSTS response header to the rewrite rules in agw:
strict-transport-security: max-age=63072000; includeSubDomains; preload
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 73%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Thanks for this Jimmy. I've also been having the problems (requests "blocked" by the AG/WAF are still passed to the back end).
Initial attempts with the HSTS response header appear to be working to overcome this (fairly glaringly large, imo) security hole.
However, I strongly suggest you change the post to not include the preload, and maybe have a much shorter max-age - see https://hstspreload.org/#deployment-recommendations - the issue being that preload will permanently put the site onto a HTTPS-only list, from which it is very hard to be removed. Instead, start with basic settings, and get them to research what the setting does.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Thank you for reaching out.
I understand you wish to drop the request when they are blocked by the WAF.
You achieve this by setting the WAF in prevention mode and then modifying the action to Block as shown in the screenshot below.
Hope this helps! Please let me know if the issue still persists. Thank you!
Thank you for your response, much appreciated.
However we use the anomaly score method otherwise there would be a lot more issues in the WAF for things like missing request headers so it does not seem practical in our environment and will yield the same result as outlined below.
We are getting the following results:
Customer record is edited and to test we insert a script into one of the address fields.
The WAF gives a message in the logs stating that the request was blocked because it picked up the script.
We go back into the customer record and the script is in the address field.
What I am struggling with is why if the WAF reports the request as blocked and the script still ends up in the database.
Using ChatGPT it made the following comment:
"Check the WAF configuration to ensure that it is set to block and terminate the connection for requests that violate the defined rules."
Is this a separate setting in Azure WAF do you know other than changing the ruleset to block? (which the WAF is doing anyway) or any other comments would be highly appreciated if someone has experienced the same WAF behaviour.
Thanks.
DEREK
Thank you for getting back and apologies for the delayed response here.
Based on your question above.
The WAF gives a message in the logs stating that the request was blocked because it picked up the script. We go back into the customer record and the script is in the address field. What I am struggling with is why if the WAF reports the request as blocked and the script still ends up in the database.
As you have set the WAF action anomaly score method, so ideally as documented here the action in WAF logs should be "Matched". If the action states "Blocked" the request should be blocked
I think a support request will be required in this case as support engineer can take a the backend logs and determine the root cause. If you have a support plan you may file a support ticket, else could you please refer to my private message here. Thanks!
Thanks I appreciate your feedback.
I think I will need to find a way to raise a ticket with support. As the anomaly score threshold was reached and the request was blocked I would have thought this action would terminate the connection and not post to the database. I would assume that if I change the actions under the rules to block this would cause quite a nightmare to administer. The funny thing is we have another domain being managed by the same WAF and the behaviour is as expected and nothing gets posted to the database.
It doesn't make sense to me.
Thank you for getting back. Please share the support ticket number with us in the private message for our tracking purposes. Thank you!
I have the exact same issue, was it resloved?