Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,016 questions
Update Azure application gateway WAF rules to allow request from same ip range in short span
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 50%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPN%3C/text%3E%3C/svg%3E)
Prashanth Nagaraj
0
Reputation points
I have a web app hosted on AKS behind an Application Gateway with WAF. My domain is onboarded on Cloudflare. The WAF is blocking network calls to my web app with rule ID 949110. I suspect that Cloudflare is replacing the actual client IP with its own and splitting requests from a single IP into multiple Cloudflare IPs, causing the WAF to increase anomaly scores and block requests.
How can I address this issue effectively to ensure legitimate traffic is not blocked?
Thank you.
{count} votes
-
KapilAnanth-MSFT 41,721 Reputation points Microsoft Employee2024-07-24T06:46:59.2833333+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
The Rule "949110" seems to be a mandatory rule, and hence you cannot disable this.
- Can you please share which RuleSetType and RuleSetVersion you are using?
- Can you share the entire error message from the Firewall log
- The "message" and "details" field would be helpful
Once you have the details, you can consider using
Depending on your application's traffic.
Cheers,
Kapil
-
Prashanth Nagaraj 0 Reputation points
2024-07-25T00:19:09.41+00:00 Hi @KapilAnanth-MSFT How can i use WAF Exclusion lists or Custom rules as I don't want to whitelist the entire IPs of cloudflare. That would make WAF dummy!
Message : Inbound Anomaly Score Exceeded (Total Score: 20)
Detail Message: Greater and Equal to Tx:inbound_anomaly_score_threshold at TX:anomaly_score.
Rule Group: REQUEST-949-BLOCKING-EVALUATION
Rule Set Type: OWASP CRS
Rule Set Versions: 3.1 -
KapilAnanth-MSFT 41,721 Reputation points Microsoft Employee
2024-07-25T09:31:46.5333333+00:00 @Prashanth Nagaraj , You have to tune your WAF.
- The Rule "949110" is blocking the request because the request exceeded the Anomaly Score threshold.
- This is happening for a "single" request
- So even if your source is sending multiple requests, the log you see is for a single request within those multiple requests.
- The threshold is 5 and I see for the request, it is 20 (very high).
- From the same log, you can ***filter using the "*transactionId" property to see all the other rules that matched before the mandatory rule could check the Anomaly Score - for a single request
More details can be found in : Understanding WAF logs
- Details on all the other rules that matched and contributed to the Anomaly score can be found from "details.message" property
- The first word would indicate if this is a Notice or Warning or Error or Critical
- And "action" property would be "Matched"
NOTE : Mandatory rules shouldn’t be thought of as rules, but more as core infrastructure of the WAF internals.
Once you get the list of all the macthed rules,
- You have make those requests compliant with OWASP.
- If you believe they are false positives
- Use an exclusion list
- Or Disable the rule
Wrt, "How can i use WAF Exclusion lists or Custom rules as I don't want to whitelist the entire IPs of cloudflare."
- You have to do it based on the matched rules and their "details.message" property
Hope this clarifies.
Cheers,
Kapil
Sign in to comment