we cannot see the request in the firewall logs from application gateway

Mayank Jain 260 Reputation points

When we send the request from postman API request is getting success also seen in database(ssms), application gateway but we cannot see the request in the firewall logs what is the issues and how to solve this error

we are using this below query in application gateway to check firewall logs

WAF -Policy mode-Prevention

| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog" 
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
846 questions
Azure Web Application Firewall
Azure ISV (Independent Software Vendors) and Startups
Azure ISV (Independent Software Vendors) and Startups
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.ISV (Independent Software Vendors) and Startups: A Microsoft program that helps customers adopt Microsoft Cloud solutions and drive user adoption.
102 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,065 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 42,626 Reputation points Microsoft Employee

    Hello @Mayank Jain ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you are unable to see some allowed API requests in your application gateway firewall logs.

    As @Boris Von Dahle mentioned above, please make sure that logging is enabled via the diagnostic settings of your Application gateway for Firewall logs.



    The purpose of WAF logs is to show every request that WAF matches or blocks.

    If logging is enabled and a WAF rule is triggered, any matching patterns are logged in plain text to help you analyze and debug the WAF policy behavior.

    Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot#understanding-waf-logs

    Also, as mentioned in the below doc:

    enter image description here

    Allowed action is only logged when all conditions were matched for a given rule and the request was passed to the backend.

    Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-logs#firewall-log

    Another thing that you can check here is custom rules.

    Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview

    Your custom rules can either block, allow, or log requested traffic based on matching criteria. If the WAF policy is set to detection mode, and a custom block rule is triggered, the request is logged and no blocking action is taken. These rules hold a higher priority than the rest of the rules in the managed rule sets. If a custom rule is triggered, and an allow or block action is taken, no further custom or managed rules are evaluated. Custom rules can be enabled/disabled on demand.

    enter image description here

    So, if you've configured a custom rule to allow these API requests, then it will authorize the transaction, skipping all other rules. The specified request is added to the allowlist and once matched, the request stops further evaluation and is sent to the backend pool.

    And in prevention mode, the allowed action of a custom rule is not logged.

    Only, in detection mode, all the transaction are logged based on SecDefaultAction after which evaluation is stopped. Any request after that meets the same conditions won't be evaluated and will just be logged.

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Boris Von Dahle 2,661 Reputation points


    If the requests from your Application Gateway are not showing up in the firewall logs, there could be several reasons for this:

    Firstly, ensure that logging is enabled for your Application Gateway. You can check this by navigating to your Application Gateway resource in the Azure portal, and under the Monitoring section, verify that the Diagnostic settings are correctly configured. The logs that should be enabled include the Access log, Performance log, and Firewall log

    If the requests are not matching any of the firewall rules, they may not be logged. Ensure that the firewall rules in your are configured to match the requests that are being sent.

    If the firewall is not blocking the requests, they may not appear in the logs. The logs usually contain information about requests that were blocked by the firewall. If the requests are being allowed through, they may not appear in the logs.

    Hope this helps


    0 comments No comments