@Konstantin Kostin
Thank you for reaching out.
Based on my understanding of the question above you have created an exclusion in the WAF policy for Application Gateway, but it only works when you set matchVariable to Request Cookie Keys and not when you set matchVariable to Request Cookie Names. You thought that Names and Keys are interchangeable for the latest versions of WAF, and you need help understanding what you are doing wrong.
Actually, RequestCookieKeys and RequestCookieNames are not interchangeable.
As documented here if we take the examples below:
If the Header is Cookie: etcpasswdtest=hello1
and if you apply an exclusion for matchVariable RequestCookieKeys contains etcpasswd
then the key from header above etcpasswdtest
gets excluded.
If the Header is Cookie: etcpasswdtest=hello1
and if you apply an exclusion for matchVariable RequestCookieNames contains etcpasswd
then the value from the header above hello1
gets excluded.
So actually RequestCookieNames and RequestCookieValues are interchangeable.
Hope this helps! Please let me know if you have any questions, I will gladly continue with our discussion.