About Custom Rules in Application Gateway WAF Policy

真 川崎 156 Reputation points
2023-07-26T04:39:12.9466667+00:00

CDN - Application Gateway WAF - ContentsDeilvery Webapps

The website is configured in this way.

I have set a custom rule in the WAF policy of Application Gateway WAF to deny traffic that contains a specific string in the URL.

I put the same deny rule in the custom rule of the WAF policy with a similar configuration (CDN-WAF-WebApps) in another test environment and it worked.

When comparing the WAF policies of the working environment and the non-working environment, the number to be set to the matching value is

There were 2 environments that worked and only 1 that didn't.

Adding a value to the matching values for environments that don't work there now rejects requests containing ".testtest".

The difference between custom rules for environments that work and environments that don't work is that the number set to a matching value was set to 2 environments that worked and only 1 that didn't work.

Adding a value to the matching values for environments that don't work there now rejects requests containing ".testtest".

Is it possible that a custom rule in a WAF policy doesn't work if only one value matches?

There was only a difference in the number of matching values between the working environment and the non-working environment, but I would like to know if that is the cause, please let me know if anyone has a similar problem.

This will not block traffic

User's image

With this, traffic is denied both when the URL contains ".testtest" and when the URL contains ".testtest2"

User's image

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
913 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 45,486 Reputation points Microsoft Employee
    2023-07-27T14:38:21.6066667+00:00

    Hello @真 川崎 ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you have configured a custom rule in your Application gateway WAF policy to deny traffic that contains a specific string in the URL, but it is not working. The same rule works in your test environment, but the only difference is that there are 2 match values for the string in the working setup and only 1 match value in the non-working setup.

    Your question: Is it possible that a custom rule in a WAF policy doesn't work if only one value matches?

    No, this is not true. Even if there is only one match value, the WAF policy will take action as per the configured action and mode of the WAF policy.

    You can see the example in the below doc where WAF block all requests from IP addresses in the range 198.168.5.0/24:

    https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/create-custom-waf-rules#example-3

    Custom rules hold a higher priority than the rest of the rules in the managed rule sets. The custom rules contain a rule name, rule priority, and an array of matching conditions. If these conditions are met, an action is taken (to allow, block, or log). If a custom rule is triggered, and an allow or block action is taken, no further custom or managed rules are evaluated.

    Priority - Determines the rule valuation order. The lower the value, the earlier the evaluation of the rule. The allowable range is from 1-100. This must be unique across all custom rules. A rule with priority 40 is evaluated before a rule with priority 80.

    Block action configuration:

    Block - Blocks or logs the transaction based on SecDefaultAction (detection/prevention mode).

    • Prevention mode - Blocks the transaction based on SecDefaultAction. Just like the Allow action, once the request is evaluated and added to the blocklist, evaluation is stopped, and the request is blocked. Any request after that meets the same conditions won't be evaluated and will just be blocked.
    • Detection mode - Logs the transaction based on SecDefaultAction after which evaluation is stopped. Any request after that meets the same conditions won't be evaluated and will just be logged.

    Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview#action-required

    Since the screenshots are in another language, I'm just assuming that the non-working custom rule is configured as below:

    User's image

    If you've set the rule as above, I would request you to check the below details:

    1. Validate if your WAF policy is set to Prevention mode.
    2. Check if you have any other custom rules in this WAF policy with a lower priority which could be allowing this traffic.

    If you are unable to find the cause of the issue, it would be better to create a support ticket, so that the support team can take a look at the backend logs and find what is happening. Hence, if you have a support plan, I would request you to file a support ticket, else please do let us know and we will try and help you get a one-time free technical support.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful