This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 6%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOG%3C/text%3E%3C/svg%3E)
Hi,
When creating exclusions in a AFD Premium WAF policy, you have the choice out of 5 different Matchvariables: RequestHeaderNames, RequestCookieNames, QueryStringArgNames, RequestBodyPostArgNames, RequestBodyJsonArgNames (see https://learn.microsoft.com/en-us/azure/templates/microsoft.network/frontdoorwebapplicationfirewallpolicies?pivots=deployment-language-bicep#managedruleexclusion).
Now I have a false positive coming from Azure B2C where the Matchvariablename is "entries.nextHopProtocol" (see attached image). This false positive is coming from this AB2C login request: https://myURL:443/mytenant.onmicrosoft.com/B2C_1A_signup_signin/client/perftrace?tx=StateProperties=eyJUSUQiOiIxNTYwMDQyMy0yNWU2LTRkN2QtOWUwNC02NGI4NDc1MDdiOGYifQ&p=B2C_1A_signup_signin
This triggers on rule Microsoft_DefaultRuleSet-2.1-PROTOCOL-ATTACK-921130 and it triggers a subsequent BLOCK! for [{"matchVariableName":"entries.nextHopProtocol","matchVariableValue":"http/1.1"}]. How can I exclude this one when it does not fit any of the 5 Matchvariables?
Regards
Hello @Owin Gruters - iO ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you are getting a false positive in Azure Front Door WAF coming from Azure B2C login request which triggers a block with rule Microsoft_DefaultRuleSet-2.1-PROTOCOL-ATTACK-921130 for [{"matchVariableName":"entries.nextHopProtocol","matchVariableValue":"http/1.1"}] and you would like to know how to create an exclusion list for this.
I'm checking with the Azure WAF Product Group team regarding this. Will update you once I hear from them.
Regards,
Gita
@Owin Gruters - iO , I discussed this issue with the Azure Product Group team and below is their response:
Looks like it is a trigger on Cookie value, and you might be able to create an exclusion for the cookie value.
Could you please try to create an exclusion as below and let me know if it helps?
Regards,
Gita
I will try and let you know. I do not see it very often, so it might take a while.
But if even if this is the case the log should say
[{"matchVariableName":"RequestCookieNames","matchVariableValue":"entries.nextHopProtocol"}].
There is no mention anywhere that this is a hit on a cookie value. Is the product team investigating this issue?
Hello @Owin Gruters - iO , yes this is part of the bug that we discussed before in your previous posts. There is an ongoing bug where the AFD WAF is logging the matchvariablenames without any key. The Product Group team is actively working on it.
Also, the Product Group team has asked me to share the complete HTTP request that is getting flagged as false positive for you. So, could you please send an email with subject line "ATTN gishar | Azure WAF in Frontdoor premium: how to Exclude matchVariableName:entries.nextHopProtocol" to AzCommunity[at]Microsoft[dot]com with the following details and I will follow-up with you.
Note: Do not share any PII data as a public comment.
Regards,
Gita
Hi Gita,
The suggested exclusion (Looks like it is a trigger on Cookie value, and you might be able to create an exclusion for the cookie value) does not work.
I still see the entries in the WAF logs. Do you have any other suggestions or an ETA on the solution on the root cause?
Regards
Thank you for the update, @Owin Gruters - iO .
Let me discuss this with the Azure WAF Product Group team and get back to you.
@Owin Gruters - iO , let me check with the PG team and see if there were any fix rollouts. Will keep you posted.
This one seems to have been fixed by the PG
Thank you for the update, @Owin Gruters - iO .
Hi Gita, Is it possible something changed here? I now see different log entries which I can exclude: {"matchVariableName":"JsonValue:serverTiming.nextHopProtocol","matchVariableValue":"http/1.1"}
Is this something the Product team has changed?
Kind regards