![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 78%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKK%3C/text%3E%3C/svg%3E)
Azure Web Application Firewall
An Azure service that provides protection for web apps.
278 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Konstantin Kostin
Thank you for reaching out.
Based on my understanding of the question above you have created an exclusion in the WAF policy for Application Gateway, but it only works when you set matchVariable to Request Cookie Keys and not when you set matchVariable to Request Cookie Names. You thought that Names and Keys are interchangeable for the latest versions of WAF, and you need help understanding what you are doing wrong.
Actually, RequestCookieKeys and RequestCookieNames are not interchangeable.
As documented here if we take the examples below:
If the Header is Cookie: etcpasswdtest=hello1 and if you apply an exclusion for matchVariable RequestCookieKeys contains etcpasswd then the key from header above etcpasswdtest gets excluded.
If the Header is Cookie: etcpasswdtest=hello1 and if you apply an exclusion for matchVariable RequestCookieNames contains etcpasswd then the value from the header above hello1 gets excluded.
So actually RequestCookieNames and RequestCookieValues are interchangeable.
Hope this helps! Please let me know if you have any questions, I will gladly continue with our discussion.