Azure WAF in Frontdoor premium: how to Exclude [{"matchVariableName":"Method","matchVariableValue":"GET"}

Question

Azure WAF in Frontdoor premium: how to Exclude [{"matchVariableName":"Method","matchVariableValue":"GET"}

Owin Gruters - iO 46

Hi,

When creating exclusions in a AFD Premium WAF policy, you have the choice out of 5 different Matchvariables: RequestHeaderNames, RequestCookieNames, QueryStringArgNames, RequestBodyPostArgNames, RequestBodyJsonArgNames (see https://learn.microsoft.com/en-us/azure/templates/microsoft.network/frontdoorwebapplicationfirewallpolicies?pivots=deployment-language-bicep#managedruleexclusion).

Now I have a false positive coming from Azure B2C where the Matchvariablename is "Method" (see attached image). This false positive is coming from this AB2C login request: https://myurl:443/mytenant.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_SIGNUP_SIGNIN&client_id=bb34194f-33b0-4abc-aca7-9b5831bc9f76&response_type=code&redirect_uri=https://myurl/api/authentication/callback&response_mode=query&scope=openid&state=https://myurl/dashboard&code_challenge=iUTAXPsWZ1K9xofkpRACpjMD2hIe12aEIs7AuRFwaUU&code_challenge_method=S256&ui_locales=nl-NL

To which of the 5 possible Matchvariables does this match? i.e. how can I make an exclusion for this? User's image

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-06-12T11:34:34.06+00:00
Hello @Owin Gruters - iO ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you are getting a false positive on your Azure Front Door Premium WAF from an Azure B2C login request where the matchVariableName is "Method" and matchVariableValue is "GET" and you would like to know how to create an Exclusion for this blocked request in your WAF policy.

Would you be able to share the complete detail message from the WAF log for this blocked request?

Looking at the screenshot, it doesn't seem to fit any matchVariableName attributes available in AFD WAF.

The matchVariableName in your WAF log should come in the below format:

If it doesn't, then it means it you can't create an exclusion for that particular request and should consider either disabling the rule or creating a custom rule to allow that Azure B2C request.

As mentioned in our document, if your WAF log entry shows a matchVariableName that isn't in the table above, you can't create an exclusion. For example, you can't currently create exclusions for cookie names, header names, POST parameter names, or query parameter names.

Instead, consider taking one of the following actions:

Disable the rules that give false positives.

Create a custom rule that explicitly allows those requests. The requests bypass all WAF inspection.

Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-exclusion#exclude-other-request-attributes

Regards, Gita
Owin Gruters - iO 46 Reputation points

2023-06-12T11:52:56.82+00:00

Hi Gita,

Thank you for the swift reply. Please see the attached screenshot for the full WAF record.

If I see your table the only one that fits should be the Request Body JSON Arg. I Can test with an exclusion on RequestBodyJsonArgNames = "Method" and let you know

Kind Regards
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-06-12T12:36:27.8633333+00:00

Hello @Owin Gruters - iO ,

I think you sent another log this time.

I see "matchVariableName":"HeaderValue:Content-Type" in this log.

Could you please send the one with "Method"?

Regards,

Gita
Owin Gruters - iO 46 Reputation points

2023-06-12T12:51:01.42+00:00

Sorry about that. Here is the right one
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-06-12T15:59:23.0366667+00:00
@Owin Gruters - iO , looks like this log doesn't have a recognized matchVariableName which can be used in WAF exclusion list.

Therefore, you will have to consider the alternatives as suggested in my previous comment.

Consider taking one of the following actions:

Disable the rule 931130.

Create a custom rule that explicitly allows this request. The request will bypass WAF inspection.

Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-exclusion#exclude-other-request-attributes

Regards,

Gita
Owin Gruters - iO 46 Reputation points

2023-06-13T07:41:45.76+00:00

Hi Gita,

Thanx again. I know about the alternatives, but off course this is not an ideal situation. It would be good if this could just be set like any other exclusion and to be honest, it is unclear why this is not a possibility. Can you elaborate?
Owin Gruters - iO 46 Reputation points

2023-06-13T07:45:24.79+00:00

Hi Gita,

Thanx again for your answer. I am aware of the alternatives. However it would be better if exclusions on these variables could be set just like the others. Can you elaborate on why this is not possible?

Also, it is difficult to see the difference between an unrecognized variable and one that fall in the group of RequestBodyJsonArgNames

Thank you!
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-06-13T15:04:05.6733333+00:00

@Owin Gruters - iO , I discussed this issue with the Azure WAF Product Group team, and they were able to reproduce this issue on their end where they were also getting matchvariablename as Method.

The Product Group team is checking with the Azure AD team to find out more regarding this behaviour.

Coming to your question: "Also, it is difficult to see the difference between an unrecognized variable and one that fall in the group of RequestBodyJsonArgNames"

You can see what request bodies are in the below link:

https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-exclusion#exclusions-for-json-request-bodies

But the variable you have is actually a GET Method which doesn't include request body, so creating an exclusion with RequestBodyJsonArgNames will not work here.

The Azure WAF Product Group confirmed that creating any kind of exclusion for Method is not the right approach since it will exclude every http request with any Method. The right approach is to create the custom rule for the correct Azure B2C URI.

Kindly let us know if the above helps or you need further assistance on this issue.

Regards,

Gita
Owin Gruters - iO 46 Reputation points

2023-06-14T07:38:37.4833333+00:00

Hi Gita,

It helps and I will create the custom rule.

Is there any way I can be kept up to date on progress on this matter, maybe in this thread?
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-06-14T09:32:39.0366667+00:00

@Owin Gruters - iO , sure, I will add the complete summary as an answer once I've an update from the Product Group team. Thanks!
Owin Gruters - iO 46 Reputation points

2023-06-14T11:17:05.58+00:00

By the way, the custom rule you create in your example filters on RequestUri that contacts "Method", but that is not where the text in located as far as I can see. Should this not be a 'RequestMethod' = *? But then it might also allow way too much if it prevails over the managed rules
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-06-15T10:58:49.2266667+00:00

Hello @Owin Gruters - iO , the GET Method is present in your Azure AD B2C URL in its query string variable:

Refer: https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow#1-get-an-authorization-code

So, you could either add a custom rule with RequestUri contains Method or QueryString contains Method as below:

Regards,

Gita
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-06-19T12:26:45.3333333+00:00

Hello @Owin Gruters - iO , Could you please provide an update on this post? Were you able to create the custom rule for this?
Owin Gruters - iO 46 Reputation points

2023-06-20T11:09:51.62+00:00

I decided to deactivate the whole rule on as it was giving a whole bunch of false positives. Thanx!
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-06-23T17:25:19.0533333+00:00

@Owin Gruters - iO , AFD WAF logging the Method as just matchvariablename without any recognized parameter is a bug, which will be fixed within the next few months. I've added the whole summary below as an answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.

Accepted answer

0 additional answers

Your answer

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-06-12T11:34:34.06+00:00

Hello @Owin Gruters - iO ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you are getting a false positive on your Azure Front Door Premium WAF from an Azure B2C login request where the matchVariableName is "Method" and matchVariableValue is "GET" and you would like to know how to create an Exclusion for this blocked request in your WAF policy.

Would you be able to share the complete detail message from the WAF log for this blocked request?

Looking at the screenshot, it doesn't seem to fit any matchVariableName attributes available in AFD WAF.

The matchVariableName in your WAF log should come in the below format:

If it doesn't, then it means it you can't create an exclusion for that particular request and should consider either disabling the rule or creating a custom rule to allow that Azure B2C request.

As mentioned in our document, if your WAF log entry shows a matchVariableName that isn't in the table above, you can't create an exclusion. For example, you can't currently create exclusions for cookie names, header names, POST parameter names, or query parameter names.

Instead, consider taking one of the following actions:

Disable the rules that give false positives.

Create a custom rule that explicitly allows those requests. The requests bypass all WAF inspection.

Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-exclusion#exclude-other-request-attributes

Regards, Gita
Owin Gruters - iO 46 Reputation points

2023-06-12T11:52:56.82+00:00

Hi Gita,

Thank you for the swift reply. Please see the attached screenshot for the full WAF record.

If I see your table the only one that fits should be the Request Body JSON Arg. I Can test with an exclusion on RequestBodyJsonArgNames = "Method" and let you know

Kind Regards
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-06-12T12:36:27.8633333+00:00

Hello @Owin Gruters - iO ,

I think you sent another log this time.

I see "matchVariableName":"HeaderValue:Content-Type" in this log.

Could you please send the one with "Method"?

Regards,

Gita
Owin Gruters - iO 46 Reputation points

2023-06-12T12:51:01.42+00:00

Sorry about that. Here is the right one
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-06-12T15:59:23.0366667+00:00

@Owin Gruters - iO , looks like this log doesn't have a recognized matchVariableName which can be used in WAF exclusion list.

Therefore, you will have to consider the alternatives as suggested in my previous comment.

Consider taking one of the following actions:

Disable the rule 931130.

Create a custom rule that explicitly allows this request. The request will bypass WAF inspection.

Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-exclusion#exclude-other-request-attributes

Regards,

Gita
Owin Gruters - iO 46 Reputation points

2023-06-13T07:41:45.76+00:00

Hi Gita,

Thanx again. I know about the alternatives, but off course this is not an ideal situation. It would be good if this could just be set like any other exclusion and to be honest, it is unclear why this is not a possibility. Can you elaborate?
Owin Gruters - iO 46 Reputation points

2023-06-13T07:45:24.79+00:00

Hi Gita,

Thanx again for your answer. I am aware of the alternatives. However it would be better if exclusions on these variables could be set just like the others. Can you elaborate on why this is not possible?

Also, it is difficult to see the difference between an unrecognized variable and one that fall in the group of RequestBodyJsonArgNames

Thank you!
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-06-13T15:04:05.6733333+00:00

@Owin Gruters - iO , I discussed this issue with the Azure WAF Product Group team, and they were able to reproduce this issue on their end where they were also getting matchvariablename as Method.

The Product Group team is checking with the Azure AD team to find out more regarding this behaviour.

Coming to your question: "Also, it is difficult to see the difference between an unrecognized variable and one that fall in the group of RequestBodyJsonArgNames"

You can see what request bodies are in the below link:

https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-exclusion#exclusions-for-json-request-bodies

But the variable you have is actually a GET Method which doesn't include request body, so creating an exclusion with RequestBodyJsonArgNames will not work here.

The Azure WAF Product Group confirmed that creating any kind of exclusion for Method is not the right approach since it will exclude every http request with any Method. The right approach is to create the custom rule for the correct Azure B2C URI.

Kindly let us know if the above helps or you need further assistance on this issue.

Regards,

Gita
Owin Gruters - iO 46 Reputation points

2023-06-14T07:38:37.4833333+00:00

Hi Gita,

It helps and I will create the custom rule.

Is there any way I can be kept up to date on progress on this matter, maybe in this thread?
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-06-14T09:32:39.0366667+00:00

@Owin Gruters - iO , sure, I will add the complete summary as an answer once I've an update from the Product Group team. Thanks!
Owin Gruters - iO 46 Reputation points

2023-06-14T11:17:05.58+00:00

By the way, the custom rule you create in your example filters on RequestUri that contacts "Method", but that is not where the text in located as far as I can see. Should this not be a 'RequestMethod' = *? But then it might also allow way too much if it prevails over the managed rules
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-06-15T10:58:49.2266667+00:00

Hello @Owin Gruters - iO , the GET Method is present in your Azure AD B2C URL in its query string variable:

Refer: https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow#1-get-an-authorization-code

So, you could either add a custom rule with RequestUri contains Method or QueryString contains Method as below:

Regards,

Gita
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-06-19T12:26:45.3333333+00:00

Hello @Owin Gruters - iO , Could you please provide an update on this post? Were you able to create the custom rule for this?
Owin Gruters - iO 46 Reputation points

2023-06-20T11:09:51.62+00:00

I decided to deactivate the whole rule on as it was giving a whole bunch of false positives. Thanx!
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-06-23T17:25:19.0533333+00:00

@Owin Gruters - iO , AFD WAF logging the Method as just matchvariablename without any recognized parameter is a bug, which will be fixed within the next few months. I've added the whole summary below as an answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.

Answer 1

Hello @Owin Gruters - iO ,

I understand that you are getting a false positive on your Azure Front Door Premium WAF from an Azure B2C login request where the matchVariableName is "Method" and matchVariableValue is "GET" and you would like to know how to create an Exclusion for this blocked request in your WAF policy.

Looking at the screenshot, it doesn't seem to fit any matchVariableName attributes available in AFD WAF.

The matchVariableName in your WAF log should come in the below format:

User's image

If it doesn't, then it means it you can't create an exclusion for that particular request and should consider either disabling the rule or creating a custom rule to allow that Azure B2C request.

As mentioned in our document, if your WAF log entry shows a matchVariableName that isn't in the table above, you can't create an exclusion. For example, you can't currently create exclusions for cookie names, header names, POST parameter names, or query parameter names.

So, I requested you to consider taking one of the following actions:

Disable the rules that give false positives.
Create a custom rule that explicitly allows those requests. The requests bypass all WAF inspection.

Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-exclusion#exclude-other-request-attributes

You wanted to know the difference between an unrecognized variable and one that fall in the group of RequestBodyJsonArgNames.

I provided the below information:

You can see what request bodies are in the below link:

https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-exclusion#exclusions-for-json-request-bodies

But the variable you have is actually a GET Method which doesn't include request body, so creating an exclusion with RequestBodyJsonArgNames will not work here.

The Azure WAF Product Group confirmed that creating any kind of exclusion for Method is not the right approach since it will exclude every http request with any Method. The right approach is to create the custom rule for the correct Azure B2C URI.

Hence, advised you to either add a custom rule with RequestUri contains Method or QueryString contains Method as the GET Method is present in your Azure AD B2C URL in its query string variable.

But you decided to deactivate the whole rule as it was giving many other false positives.

Regarding the WAF logging the Method as just matchvariablename without any recognized parameter:

I discussed this issue with the Azure Front Door Product Group team, and they were able to reproduce this issue on their end. On further investigation, they found that it is a bug in AFD WAF, which will be fixed within the next few months (approx. ETA: before the end of September).

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Owin Gruters - iO 46 Reputation points

2023-07-05T18:28:34.7266667+00:00

@GitaraniSharma-MSFT I see in further logs that also the rules

Microsoft_DefaultRuleSet-2.1-PROTOCOL-ENFORCEMENT-920320

Microsoft_DefaultRuleSet-2.1-MS-ThreatIntel-SQLI-99031004

have this same issue

Is there any news on the solution, as I do not want to turn many rules off because of this bug
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-07-10T12:17:25.01+00:00

Hello @Owin Gruters - iO , looks like part of the bug was fixed but there are still a few issues which are actively being worked on. However, I don't have an ETA for the complete fix yet. Will keep you posted.

Share via

Azure WAF in Frontdoor premium: how to Exclude [{"matchVariableName":"Method","matchVariableValue":"GET"}

0 additional answers

Your answer