Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
584 questions
AFD WAF - How to configure custom rule for CookieName request attribute
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 64%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBW%3C/text%3E%3C/svg%3E)
Brittany Wolf
1
Reputation point
@GitaraniSharma-MSFT Hoping you can help me. I have WAF on AFD with DefaultRuleSet_2.1. I am seeing blocks associated with matchVariableName value CookieName. Based on this resource, I understand that I cannot use an exclusion for this attribute type at this time. https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-exclusion#exclude-other-request-attributes However, the resource implies that a custom rule can be used instead. I've been trying a few different custom rule configurations but they don't seem to be preventing these requests from being blocked. I wondered if you had a recommendation on how to accomplish this so that I don't have to disable the rule or change its action to log instead. THANK YOU!
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 23,106 Reputation points Microsoft Employee2024-02-10T01:52:53.0733333+00:00 Thank you for reaching out.
Based on this resource, I understand that I cannot use an exclusion for this attribute type at this time. https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-exclusion#exclude-other-request-attributes
Yes, your understanding is correct here.
Before delving into the issue a quick FYI here about custom rules in WAF.
When a request matches a custom rule, the WAF engine stops processing the request. Managed rules won't be processed for this request and neither will other custom rules with a lower priority.
Given in your scenario, if you are creating a custom rule to allow a request with Match Variable Cookies and Cookie Name as shown below. Then every request containing the cookie will be allowed and no managed rules will be processed for this request.
If you still want to proceed with a Custom rule. Can you please share the information below? Please redact any PII information.
- Please share screenshot of the WAF logs for the blocked request.
- Please share a screenshot of the custom rules created.
Thank you!
-
Brittany Wolf 1 Reputation point
2024-02-12T15:31:33.2233333+00:00 Hi Chaitanya, Yes, I created a custom rule but it doesn't seem to be working as requests that should match are still being blocked. When I query the logs for requests matching this particular custom rule, there are no results. This seems to indicate a problem with the rule so I'm seeking assistance. Here's an example of the CookieName matchVariableName block from the logs:
Here is the current custom rule config:
We have tried a few different variations of the operator and match values but since the issue is with the FIELD NAME of CookieName and not the value, I'm not sure how to actually use a custom rule to account for this scenario. I noticed while composing this reply that the 'Any' operator doesn't ask for a Match Value. Would that one work to prevent the block shown? Thanks!
-
ChaitanyaNaykodi-MSFT 23,106 Reputation points Microsoft Employee
2024-02-16T04:36:31.3866667+00:00 @Brittany Wolf
Thank you for getting back and sharing the requested details. Apologies for the delay here. Any is a match all operator so I think using contains operator can be helpful in this case. Can you try adding the custom rule with Equal or Contains operator and see if that helps in this case? Thank you! -
Brittany Wolf 1 Reputation point
2024-02-16T21:36:31.4366667+00:00 @ChaitanyaNaykodi-MSFT Sure. Are you saying I should adjust the operator only and leave the defined match value as-is? Thank you.
-
ChaitanyaNaykodi-MSFT 23,106 Reputation points Microsoft Employee
2024-02-21T01:12:59.4033333+00:00 @Brittany Wolf
Thank you for getting back. Yes, just adjust the operator to Equal or Contains and keep the value same. Please let me know if this helped or if the request is still getting blocked? -
Brittany Wolf 1 Reputation point
2024-02-28T15:52:40.12+00:00 @ChaitanyaNaykodi-MSFT
Unfortunately no change when adjusting the operator. I had a few more blocks for this today relating to Microsoft_DefaultRuleSet-2.1-XSS-941120. When querying my logs, there are still zero instances showing that my custom rule was observed. What are next steps? Thanks. -
ChaitanyaNaykodi-MSFT 23,106 Reputation points Microsoft Employee
2024-03-02T01:51:24.05+00:00 @Brittany Wolf Thank you for getting back. I have made a private message here requesting additional details. Thank you!
Sign in to comment