This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 6%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOG%3C/text%3E%3C/svg%3E)
Hi,
When creating exclusions in a AFD Premium WAF policy, you have the choice out of 5 different Matchvariables: RequestHeaderNames, RequestCookieNames, QueryStringArgNames, RequestBodyPostArgNames, RequestBodyJsonArgNames (see https://learn.microsoft.com/en-us/azure/templates/microsoft.network/frontdoorwebapplicationfirewallpolicies?pivots=deployment-language-bicep#managedruleexclusion).
Now I have a (false) positive for rule Microsoft_DefaultRuleSet-2.1-MS-ThreatIntel-SQLI-99031004 with "matchVariableName":"MultipartParamValue:contentItem".
How do I exclude this one?
Hello @Owin Gruters - iO ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
Since we are already working offline on similar issue, I will reach out to you directly for further investigation on this issue.
And we will post a summarized answer once the issue is resolved.
Regards,
Gita
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 53%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDY%3C/text%3E%3C/svg%3E)
Hello:
I have the same issue: a false positive for rule Microsoft_DefaultRuleSet-2.1-SQLI-942200 with "matchVariableName":"MultipartParamValue:data"
I would like to create an exclusion insted of disabling the rule or going for a custom rule.
Is this somehow possible?
Hello @Owin Gruters - iO and @Daniel Yuste Aroca ,
Below is the update from the backend team on this issue:
Adding an exclusion with Request body by POST args name for the values that are triggering rules may be helpful in this case.
But unfortunately, there is a known issue while using "multipart/form-data" where this exclusion might not work as expected in all cases.
A fix for this is currently being worked up on. And might take about 3 weeks to rollout.
In the meantime, customer can consider updating the "enctype" to "application/x-www-form-urlencoded" instead of multipart/form-data.
Please try to use the above workaround and check if it works.
Regards, Gita
Change our application in production for a few weeks you mean?
I don't think so :)
I will wait for 3 weeks. Please inform us when the fix rollout is done.
Thank you!
@Owin Gruters - iO , thank you for the update. I will also check with the product group team on the fix rollout timeline again.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 23%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
Hi, we are facing the exact same issue here, any news about when the fix is gonna be rollout ?
Oops sorry double post, can't delete it....
We are facing the same issue, any news about the fix?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 64%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBW%3C/text%3E%3C/svg%3E)
Have the same issue with AFD WAF DefaultRuleSet_2.1. @GitaraniSharma-MSFT I have created an exclusion based on the info above but has the fix you referenced already occurred?
@Jean-Philippe Desloges-Bergeron latest communication I received from Microsoft yesterday Friday 29-9-2023:
"update from the product team that they will roll out fix the log discrepancies on next week. I will keep you posted further updates on this once I hear anything from the product team. "