Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
960 questions
Why in the WAF V2 do I get a log file stating that the request was blocked but in the application the request was successful and the record was updated?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 81%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
Derek Green
0
Reputation points
I have a rule 941320 triggering when posting putgroup into a web application. I understand why this is, it is because it has HTML tags in the payload. The bit I don't understand is why the firewall logs show this request as blocked in the log files but the data is still posted to the app. It is definitely using the correct WAF policy and I also changed the behaviour to block encase it was something to do with the anomaly scoring, there are also no custom rules just the managed OWASP 3.2 rule set with no exclusions. I am not overly technical but learning, can anyone answer this riddle.
{count} votes
-
GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee2024-03-26T11:37:47.8233333+00:00 Hello @Derek Green ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that your Application gateway WAF log is showing a request as blocked but the request is still allowed to the backend.
- Could you please confirm that it is the rule 941320? There is an active bug related to rules 920420 and 920470, where some unsupported content-types are being allowed through WAF 3.2, although they should have been blocked.
- Could you please share the WAF log showing the blocked action?
- How are you validating that this particular blocked request from the log is being allowed to the backend?
As mentioned in the Azure WAF documentation,
The message that's logged when a WAF rule matches traffic includes the action value "Matched." If the total anomaly score of all matched rules is 5 or greater, and the WAF policy is running in Prevention mode, the request will trigger a mandatory anomaly rule with the action value "Blocked" and the request will be stopped. However, if the WAF policy is running in Detection mode, the request will trigger the action value "Detected" and the request will be logged and passed to the backend.
As the WAF parses a request through the multiple WAF rules that make up the CRS, it keeps track of the rules that fire and adds the score of each rule to compute the total anomaly score for a request. The WAF will then compare the request anomaly score with an inbound risk score rule threshold. If the score exceeded, the request is more likely to be malicious, otherwise the request is judged to be safe.
Specific packets may hit one or more rules on the WAF. Each rule being hit has a different "Severity". If a packet is hitting more than one rule, the anomaly score of each of these rules is taken into account, and the sum is calculated and if the sum exceeds 5 points, the packet/request is blocked.
So, you cannot look at a single Matched log to find if it was allowed/blocked.
You can understand the WAF logs better by referring to the below doc:
You should filter your Azure WAF logs using the "
transactionId" parameter.transactionIdis a Unique ID for a given transaction which helps group multiple rule violations that occurred within the same request.AzureDiagnostics | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog" | where transactionId == "16861477007022634343" <--- replace this GUID with the one in your log.If the same
transactionIdshows hit by more than one WAF rules and shows matched in the initial logs, WAF will calculate the sum of all the rules hit and if the sum exceeds 5 points, the packet/request will be blocked in the Prevention mode and detected in the Detection mode.But if the transactionId shows only hit by a single WAF rule whose anomaly score is less than 5, then it will be allowed.
Regards,
Gita
-
GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee
2024-04-02T17:05:47.79+00:00 @Derek Green , Could you please provide an update on this post?
Sign in to comment