This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 62%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
The application gateway has WAF in prevention mode. When there are file download requests from blob storage, these are getting blocked by WAF, applying rules 942450,942340.
The request URL has the Blob SAS token in query string, which is treated as harmful[ WAF log shows SQL Hex Encoding Identified]. Disabling the rule is feasible, but that is vulnerable.
What other way to handle this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 36%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
Hello Anand Sowmithiran
I am following up to see if you have checked the answer below. Please let me know if you need further assistance.
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Hello Anand Sowmithiran
We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.
Please let us know if you have any questions or concerns. We are happy to assist you.
Hi,
The other option is to use exclusions. Identify common attributes for those requests and create exclusions based on them.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hello Anand Sowmithiran
I wanted to follow up and check if you had the opportunity to review the information provided by Stanislav Zhelyazkov in our previous post.
Additionally, I’d like to suggest the following:
Use a Custom WAF Policy with Conditional Exclusions
Instead of disabling the rule globally, you can exclude specific request paths or query parameters from inspection:
/download/*)
sig, se, sp, etc.)This way, the WAF still protects the rest of your app, but ignores SAS tokens where appropriate.
🔧 In Azure Portal: Go to your WAF Policy → Exclusions → Add exclusion for
RequestArgNamesorRequestUri.
Since the blocked requests include SAS tokens in the query string, you can:
sig=)This approach will ensure the WAF skips evaluating those specific rules only when the request meets the exclusion criteria, while maintaining protection for all other traffic.
If you are testing, you can temporarily switch WAF to Detection mode to monitor without blocking. But this is not recommended for production.
Kindly let us know if the above helps or you need further assistance on this issue.
I hope this helps! If these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.
If the above is unclear or you are unsure about something, please add a comment below.
please don’t forget to close the thread by clicking Accept the answer wherever the information provided helps you, as this can be beneficial to other community members.