Share via

Customize Managed Rules

Satyam Chauhan 542 Reputation points
2024-07-16T10:03:37.0533333+00:00

Hi, I am using Application gateway with WAF V2, I am facing one issue with a user input being blocked by WAF managed rules. The backend application allows user to special characters but the request is getting blocked by WAF only.

More specifically, if user enters a text consisting "- " (hyphen and then space) then it is being blocked, similar to this case there are other cases as well.

Please help which managed rule is responsible for this and how can I fix it.

Azure Web Application Firewall
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 41,156 Reputation points Microsoft Employee
    2024-07-16T10:57:28.4766667+00:00

    @Satyam Chauhan ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    From your verbatim, you want to know which WAF Rule is blocking the requests to your Application Gateway.

    You can use the Firewall log to identify which rule actually got triggered.

    • ruleSetType, ruleSetVersion and ruleId parameters would confirm the exact rule that blocked the request.
    • To enable Firewall logs, follow : Enable logging through the Azure portal
    • Once enabled, after few minutes, Navigate to App Gateway ---> Logs (from the side bar)

    Query:

    AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"

    Once identified,

    You have 3 ways to work around this

    1. Disable the Managed Rule : Disable rule groups and rules
    2. Create Exclusions List
      1. WAF exclusion lists allow you to omit certain request attributes from a WAF evaluation. The rest of the request is evaluated as normal.
    3. Use custom rules which have a higher priority than managed rules
      1. These rules hold a higher priority than the rest of the rules in the managed rule sets. The custom rules have an action (to allow or block), a match condition, and an operator to allow full customization.

    Methods #2 and #3 require you to validate what part of your request is triggering the WAF managed rule and create an Exclusion or Custom Rule to bypass it accordingly.

    Please let us know if we can be of any further assistance here.

    Thanks,

    Kapil

    Please Accept an answer if correct.

    Original posters help the community find answers faster by identifying the correct answer.

    1 person found this answer helpful.
    0 comments