Hello @Owin Gruters - iO ,
I understand that you are getting a false positive on your Azure Front Door Premium WAF from an Azure B2C login request where the matchVariableName is "Method" and matchVariableValue is "GET" and you would like to know how to create an Exclusion for this blocked request in your WAF policy.
Looking at the screenshot, it doesn't seem to fit any matchVariableName attributes available in AFD WAF.
The matchVariableName in your WAF log should come in the below format:
If it doesn't, then it means it you can't create an exclusion for that particular request and should consider either disabling the rule or creating a custom rule to allow that Azure B2C request.
As mentioned in our document, if your WAF log entry shows a matchVariableName that isn't in the table above, you can't create an exclusion. For example, you can't currently create exclusions for cookie names, header names, POST parameter names, or query parameter names.
So, I requested you to consider taking one of the following actions:
- Disable the rules that give false positives.
- Create a custom rule that explicitly allows those requests. The requests bypass all WAF inspection.
You wanted to know the difference between an unrecognized variable and one that fall in the group of RequestBodyJsonArgNames.
I provided the below information:
You can see what request bodies are in the below link:
But the variable you have is actually a GET Method which doesn't include request body, so creating an exclusion with RequestBodyJsonArgNames will not work here.
The Azure WAF Product Group confirmed that creating any kind of exclusion for Method is not the right approach since it will exclude every http request with any Method. The right approach is to create the custom rule for the correct Azure B2C URI.
Hence, advised you to either add a custom rule with RequestUri contains Method or QueryString contains Method as the GET Method is present in your Azure AD B2C URL in its query string variable.
But you decided to deactivate the whole rule as it was giving many other false positives.
Regarding the WAF logging the Method as just matchvariablename without any recognized parameter:
I discussed this issue with the Azure Front Door Product Group team, and they were able to reproduce this issue on their end. On further investigation, they found that it is a bug in AFD WAF, which will be fixed within the next few months (approx. ETA: before the end of September).
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.