Hello @Justin Griep ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to exclude request cookies from evaluation for a number of OWASP rules and would like to know what a better way is to define an exclusion rule for same.
You can configure a WAF exclusion in Application gateway for "Request cookies
" attribute.
When you configure an exclusion, you need to determine whether you want to exclude the name/key or the value from WAF evaluation.
If the WAF is getting triggered for the Cookie name (REQUEST_COOKIES_NAMES), you can use the attribute "Request Cookie Keys" or "Request Cookie Names" as below:
If the WAF is getting triggered for the Cookie value (REQUEST_COOKIES_VALUES), you can use the attribute "Request Cookie Values" as below:
NOTE: Request attributes by key and values are only available in CRS 3.2.
The new WAF engine is a high-performance, scalable Microsoft proprietary engine and has significant improvements over the previous WAF engine.
If you are using the older WAF engine, I would request you to set the default rule set to OWASP 3.2 and add the above-mentioned exclusion list.
Additional reference for you:
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.