![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 57.00000000000001%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,014 questions
Hello @真 川崎 ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you have configured a custom rule in your Application gateway WAF policy to deny traffic that contains a specific string in the URL, but it is not working. The same rule works in your test environment, but the only difference is that there are 2 match values for the string in the working setup and only 1 match value in the non-working setup.
Your question: Is it possible that a custom rule in a WAF policy doesn't work if only one value matches?
No, this is not true. Even if there is only one match value, the WAF policy will take action as per the configured action and mode of the WAF policy.
You can see the example in the below doc where WAF block all requests from IP addresses in the range 198.168.5.0/24:
Custom rules hold a higher priority than the rest of the rules in the managed rule sets. The custom rules contain a rule name, rule priority, and an array of matching conditions. If these conditions are met, an action is taken (to allow, block, or log). If a custom rule is triggered, and an allow or block action is taken, no further custom or managed rules are evaluated.
Priority - Determines the rule valuation order. The lower the value, the earlier the evaluation of the rule. The allowable range is from 1-100. This must be unique across all custom rules. A rule with priority 40 is evaluated before a rule with priority 80.
Block action configuration:
Block - Blocks or logs the transaction based on SecDefaultAction (detection/prevention mode).
- Prevention mode - Blocks the transaction based on SecDefaultAction. Just like the Allow action, once the request is evaluated and added to the blocklist, evaluation is stopped, and the request is blocked. Any request after that meets the same conditions won't be evaluated and will just be blocked.
- Detection mode - Logs the transaction based on SecDefaultAction after which evaluation is stopped. Any request after that meets the same conditions won't be evaluated and will just be logged.
Since the screenshots are in another language, I'm just assuming that the non-working custom rule is configured as below:
If you've set the rule as above, I would request you to check the below details:
- Validate if your WAF policy is set to Prevention mode.
- Check if you have any other custom rules in this WAF policy with a lower priority which could be allowing this traffic.
If you are unable to find the cause of the issue, it would be better to create a support ticket, so that the support team can take a look at the backend logs and find what is happening. Hence, if you have a support plan, I would request you to file a support ticket, else please do let us know and we will try and help you get a one-time free technical support.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.