Share via

What is the best way to pass data to an API through an Azure Application Gateway and WAF and avoid false positives

rex 1 Reputation point
2021-08-19T20:47:32.037+00:00

I have a back-end API that I am sending data to and some data triggers the WAF to BLOCK that should not.

I am considering base64 encoding the data but that seems unnecessary.

Example payload that fails:
{
"username": "user1",
"password": "Lv^axe123",
}

Passwords are supposed to be complex... should I base64 encode the password to keep the WAF from inspecting it?

Please advise, I don't want to rewrite my entire API to base64 fields/payloads, what is the best practice here?

TIA

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,048 questions
Azure Web Application Firewall
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SaiKishor-MSFT 17,231 Reputation points
    2021-08-26T13:08:52.983+00:00

    @rex Thank you for reaching out to Microsoft Q&A.

    I understand that you are facing issues with WAF blocking legitimate traffic. Here is a document that you can refer on Troubleshooting WAF when legitimate traffic is blocked by WAF as is the current case.

    As given in the document- First, ensure you’ve read the WAF overview and the WAF configuration documents. Also, make sure you’ve enabled WAF monitoring These articles explain how the WAF functions, how the WAF rule sets work, and how to access WAF logs.

    It is entirely normal, and actually expected in many cases, to create exclusions, custom rules, and even disable rules that may be causing issues or false positives. Per-site and per-URI policies allow for these changes to only affect specific sites/URIs, so any changes shouldn’t have to affect other sites that may not be running into the same issues.

    If you notice that the WAF blocks a request that it shouldn't (a false positive), you can do a few things. First, narrow down, and find the specific request. Look through the logs to find the specific URI, timestamp, or transaction ID of the request. When you find the associated log entries, you can begin to act on the false positives.

    Here is a document that specifies how to work around False Positives with WAF.

    1. Use an Exclusion List
      See WAF configuration for more information about exclusion lists.
    2. Disable the rule

    Please go through the above document on fixing the False Positive either by creating an Exclusion List or Disabling the rule. Hope this helps.

    Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.