more than 12K or 18K URL under block for particular rule like SQLI or XSS how can we make false positive by custom or exculsion

Question

Result of latest scan on application associated with AFD-WAF, we observed for reach rule blocked under SQLI and XSS are more than 12 K URLs, and all are under blockage because of just one or more char like ",: etc. which are must required part of each request like Jason body or payload. but no provision to update the Jason for underlying rule to overcome the false positive or its difficult add custom rule or exclusion for all the blocked URL or the blocked variable keys. please suggested us best way to overcome the blockages ins short span.

Answer 1

@Parmeshwar Mukhede ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to tune your App gateway WAF.

Every application has it's own requirement and you have to Tune your WAF according to the requirement.

• The general practice is that start out with prevention mode and log the requests and rules that are "Matched"
• Then you can either
  • Disable the Rule - https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=drs21#tuning-of-managed-rule-sets
  • Create Exclusions - https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal
  • Create custom rules - https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview
    to overcome the false positives.

Hope this helps.

Cheers,

Kapil