Share via

In azure front door WAF policy i ahve created a custom rules with conditions to block the request for particular url based on country(Geo location). It is working as expected but i would like to know accuracy of the waf policy when using geo location

Mohideen Ansari 0 Reputation points
2024-07-25T13:26:55.0733333+00:00

We have azure front door integrated with WAF policy. i have created a custom rules with conditions to block the request for particular url to specific country(Geo location). It is working as expected but i would like to know accuracy of the waf policy when using geo location. Whether it will completely block those ips in that particular location. or there are chances for leakage from that location. I would like to know the percntage of the accuracy, precision and trust. and also would like to know is there any other limitation.

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
633 questions
Azure Web Application Firewall
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 24,666 Reputation points Microsoft Employee
    2024-07-25T16:31:41.98+00:00

    @Mohideen Ansari

    Thank you for reaching out.I understand you have a question regarding the accuracy of geo filtering done by WAF.

    Based on your question above

    Whether it will completely block those ips in that particular location. or there are chances for leakage from that location.

    The block is applied based on the IP to country mapping maintained by Microsoft. If the IP address is from the country you have blocked then the request is completely blocked and there are no leakages.

    I would like to know the percntage of the accuracy, precision and trust. and also would like to know is there any other limitation.

    Currently I do not think a quantified accuracy rate is available or documented publicly.

    As Geo-filtering works based on mapping each request's IP address to a country or region. There might be some IP addresses in the data set that are not yet mapped to a country or region. Hence it is recommended to include the country code ZZ whenever you use geo-filtering. The ZZ country code (or Unknown country) captures IP addresses that aren't yet mapped to a country in our dataset. Use this code to avoid false positives. This is also documented in the Geo-filtering best practices here

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments