Azure Web Application Firewall

WAF Log Scrubbing XML payloads

Hi, First poster here. I have a SOAP API that is behind an APP GW with WAF and then an APIM. Some of the payloads are triggering built in WAF rules and causing logs to be recorded. I have configured the log scrubbing to target the named properties inside…

Need to exclude specific string that could appear in multiple URLs for Azure WAF.

We use different advertisements that refer to pages on our website. When the third party puts the link on their site it modifies the URL and adds a specific string to the referring URL that is currently being blocked by Azure WAF. It is always firing…

How would TLS inspection work with WAF enabled App Gateway and Azure Firewall?

Hi, I have been struggling with this from a while now. Our design has WAF enabled App gateway for incoming HTTP / HTTPS traffic from internet and then have Azure Firewall behind it. Have couple of queries for which I need assistance: 1: Does WAF has…

Azure FrontDoor WAF rate limit unexpected behavior

Hi, recently I configured WAF on Azure FrontDoor, but I noticed that the “rate limit” feature not working as expected. I have 2 rules configured with “rate limit”: Then I used the following batch script to make requests to my URL: @echo…

Allow-Access-Control-Origin Error on Web App

Hey everyone. I may be missing something simple, but here's one for you guys! Turning on App Gateway WAF Policy with a custom rule for geo location match. Essentially just to deny any traffic outside of select countries. Without this WAF Policy turned…

How to remove WAF policy safely.We have an AKAMAI device before the App GW and do not need WAF capability anymore.What is the safest way to do so.

How to remove WAF policy safely or disassociate WAF policy . We have an AKAMAI device before the App GW in our environment hence we do not need WAF capability anymore. What is the safest way to do so. Also can I do it via portal and if I am doing it via…

Need assistance to resolve waf rule " Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"

Hi We need assistance in resolving an issue with the WAF while loading the following application URL. The web application is calling the API to load the application. Please find the URL and the error message below for reference. Please need assistance…

In "Application Gateway WAF policy" resources cannot select "Rate limit" rule type in custom rules. Only "Match" available.

Hi, In "Application Gateway WAF policy" resources cannot select "Rate limit" rule type in custom rules. Only "Match" available. I want to configure rate-limit rules in my WAF for Application Gateway. I have a bunch of…

I am getting request such as "~^.*\.mywebsite\.com$" on my azure application gateway. This causes "ERRORINFO_REQUEST_URI_INVALID" error. How do i prevent invalid requests at the Azure WAF2 level?

Recently, we are getting a lot of requests such as "~^.*.mywebsite.com$" and it gets logged in the Application Gateway as "ERRORINFO_REQUEST_URI_INVALID". We would like to prevent such wildcard requests at the Web Application…

going with the application gateway in fornt of azure firewall does it lose the benefit of l7 load balancing

I have an Azure firewall in a hub and spoke architecture, and one of the spokes contains my web servers, for HTTPS filtering I have an application gateway with the WAF feature and l7 load balancing. I have a requirement to keep centralized security…

Requests get blocked in WAF with ERRORINFO_NO_ERROR

In Azure, I have an application gateway with web application firewall. Recently, requests from end users have been blocked with http status 403 Forbidden. They're perfectly normal requests, and I see no reason why they should be blocked. In de logs, the…

WAF 2 does not prevent script attack

I have integrated a web application firewall (2) with the application gateway in Prevention mode. However, when I attempt to create a record using FirstName as script tag, the record is successfully created. Ideally, this action should be blocked.…

Request blocked by Microsoft_DefaultRuleSet-2.1-SQLI-942120 for russian language

When we try to submit the leads in our website We figured out that for Russian language characters Azure Front door firewall rule(942120 - SQL Injection Attack: SQL Operator Detected) was blocking the requests. Below is the screenshot of how we find it…

How to fix blocked:mixed-content error on Application Gateway?

I have configured an application gateway associated to a WAF with my app service, the goal was to use WAF in front of my app; the issue now is that I dont have custom domain for my application gateway or app service. Earlier I was using default domain of…

Is it possible to use .azurewebsites.net domain with application gateway?

Hi, I have integrated azure app gateway with my app service to have WAF in front of my web app. I see that I have app gateway's IP address via which I can access the app service, is there any possibility that I use the default domain of web app even with…

When to use Azure WAF or Azure Firewall ?

Hi Folks, Can anyone here please share some thoughts and comments of when to use Azure WAF or Azure Firewall? I have already existing Azure ExpressRoute so my Azure VMs can ping my OnPremise servers, and vice versa. My purpose here is to be able to…

Azure NSG rules both for both public and private IPs

Can I apply a public IP to a vm and have it not affect the nsg rules that I have for it's private IPs? I have current nsg rules for the private IP but i want to add a public IP and apply nsg rules to it as well. I will be limiting access to it from…

Azure WAF rule 920470 blocking the requests with details massage: Pattern match ^[\w\d/\.\-\+]+(?:\s?;\s?(?:boundary|charset)\s?=\s?['"\w\d\.\-]+)?$ at REQUEST_HEADERS:content-type. But we excluded the rule like in the below snip still the rule blocking

Azure WAF Security Features in Standard Tier with Front Door

Hey all - I’m looking for insights regarding the security features offered by the Azure WAF when deployed in the Standard tier with Azure FD, particularly in scenarios where the customer does not want to create any custom rules. Given that the Microsoft…

How to add correct exclusion on Azure WAF?

Greetings. Please help in creating an exception to the rule: OWASP_3.2 - Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link. My web application generates requests like: …