Front Door WAF - Do custom rules rules hold a higher priority than managed rule sets

Question

Front Door WAF - Do custom rules rules hold a higher priority than managed rule sets

Bill Pratt 20 Microsoft Employee

According to https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview, custom rules rules hold a higher priority than managed rule sets and if there is a custom rule to ALLOW a request, it should bypass the managed rule. I'm observing however that it is not. The priority of this custom rule is set to 2. Do custom rules hold a higher priority than managed rule sets?

Sina Salam 28,046 Reputation points Volunteer Moderator

2026-03-02T13:53:37.82+00:00
Hello Bill Pratt,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that your Front Door WAF - Do custom rules rules hold a higher priority than managed rule sets.

For clarification of some misconceptions:

Is not about Priority set. “Priority=2 means ‘higher than managed rules’, so managed should be bypassed.” Because priority values are only among custom rules. If the request doesn’t match the custom rule, it won’t bypass. https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-custom-rules

“If I still see managed-rule hits in logs, managed rules ran.” With Front Door WAF, you can see log entries from managed rules because of parallel rule evaluation optimizations, but enforcement stops at the first custom rule that takes Allow/Block/Redirect. Those extra log hits are cosmetic for that request. - https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/web-application-firewall/ag/custom-waf-rules-overview.md

An ALLOW custom rule will short‑circuit and skip managed rules; many teams expect “allow first, then still check OWASP”, which isn’t how Front Door WAF behaves. The recommended pattern is to invert the logic. This pattern is also documented and echoed in field write‑ups. - https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-tuning, and https://samcogan.com/be-very-careful-with-allow-rules-in-waf/ gives you more insight.

Now, to fix the issue:

If your intent is truly to bypass managed rules for specific traffic

Make sure the custom rule actually matches the target requests. You have to temporarily set the rule’s action=Log and verify hits in Front Door WAF logs (AzureDiagnostics / WAFLogs). Confirm correct match variable, selector, operator, values, and any transforms. - https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-tuning

Because custom rules run before managed and stop on Allow, any matching request will not be subjected to managed rules. (Ignore parallel managed-rule log hits for that request, they’re not enforced.) - https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-custom-rules, and https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/web-application-firewall/ag/custom-waf-rules-overview.md

Verify policy mode = Prevention, and verify association to the correct Front Door profile/domains/routes. - https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-create-portal

You will get expected result: For matching requests, the WAF stops at your custom Allow and does not enforce managed rules.

If your real goal is “allowlist IPs but still apply managed protections” Do not use Allow. Instead:

Replace the Allow rule with a Block rule that denies traffic when the IP is not in the list (negated condition).

Example logic: IF client IP NOT IN {your trusted ranges} → Block.

This lets in‑list traffic continue through the pipeline, so managed rules still run. Check the links I provided above for more details.

Keep the rule’s priority early (e.g., 2), action Block, condition NOT IN allowlist.

Requests from allowed IPs don’t match this rule (so no stop), therefore they proceed to managed rules for OWASP/DRS inspection. - https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-tuning

Validate with WAF logs and, if needed, add narrow exclusions on specific managed rules to remove false positives rather than broad allows. - https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-tuning

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Hi @ Bill Pratt

Welcome to Microsoft Q&A Platform.

As discussed, offline on Teams, the issue occurs because the managed rule is still blocking the request even though a custom rule is configured.

Based on your current configuration, the custom rule is set with the Equals operator and the match value as /example/path. If you want to use the Equals operator, you must specify the full URI, for example: https://xxxxxxxx:443/example/path instead of only the path /example/path.

If you prefer to match only the path, you should use the Contains operator in the custom rule instead of the Equals operator

Pleaseand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

Front Door WAF - Do custom rules rules hold a higher priority than managed rule sets

0 additional answers

Your answer