Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are receiving 403 Forbidden while accessing your website via Application gateway.
It is possible that the 403 is either coming from the App gateway or the App Service itself.
I note that you did mention azurewebsites.net
domain does not throw this error, indicates the error is coming from Azure App gateway WAF.
However, to be sure, let's please check both the logs.
- Do you have the WAF in prevention mode or detection mode?
- If it's in Prevention mode, does keeping it in Detection mode help?
- Did you check both the WAF Logs and Access Logs?
- Enable Logs : https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-metrics#logs-and-diagnostics
- Check Access Logs : [https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-logs#access-log](https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-logs#access-log) - Check WAF Logs : [https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-logs#firewall-log](https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-logs#firewall-log)
- Enable Logs : https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-metrics#logs-and-diagnostics
- Do you check which Managed Rule is getting hit?
- You should see something like this : https://learn.microsoft.com/en-us/azure/application-gateway/log-analytics#explore-data-with-examples
- If WAF logs are not capturing, it means the 403 is coming from the App service itself, and should be visible in Access Logs.
You confirmed that setting the WAF in Prevention Mode resolved the issue
I suggested, this will make your Application Gateway vulnerable to attacks as disabling the WAF entirely (i.e, moving to prevention mode) will disable all the Core Rules which opens other threats.
Instead, you should only disable the rule in the CRS Rules Set that causes 403 and not the entire WAF
You can do this by following : Customize Web Application Firewall rules
To find out which Rule is being triggered, you must use the WAF Logs
In addition to disabling a Rule, you can also consider,
- Custom rules
- These rules hold a higher priority than the rest of the rules in the managed rule sets. If a custom rule is triggered, and an allow or block action is taken, no further custom or managed rules are evaluated
- Create Exclusions List
- WAF exclusion lists allow you to omit certain request attributes from a WAF evaluation. The rest of the request is evaluated as normal. You can configure a WAF exclusion for certain request attributes.
Custom Rules and Exclusion Lists are dependent on your application and you should work with your application team to arrive at the correct configuration.
So, you can consider disabling a Rule for easy configuration and overhead.
Thanks,
Kapil
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.