Azure WAF Whitelist requesturi

Question

Azure WAF Whitelist requesturi

Michael Broadhead 21

Hello,

I have been monitoring the Azure WAF logs using the Azure Log Analytics Workspace.
Frequently I see many false positives that I need to prevent, such requests are needed to ensure my app works.
Currently the only solution I have found is to disable the associated OWASP Rule.

I would however like to find a way of re-enabling these OWASP rules and whitelisting the affected requests.

All affected requests show the received requesturi.

My question is how do I whitelist a requesturi? for example /ABCDEFG/Appfolder/SaveGroup.

Thank you

Accepted answer

0 additional answers

Your answer

Answer 1

GitaraniSharma-MSFT 50,096 Microsoft Employee Moderator

Hello @Anonymous ,

If you use Azure Application Gateway Web Application Firewall (WAF) v2 SKU, then you can make use of custom rules to achieve your requirement. Custom rules allow you to create your own rules that are evaluated for each request that passes through the WAF. Custom rules in WAF v2 will allow you to block RequestUri variables.

For more details, please refer the below docs:
https://learn.microsoft.com/en-gb/azure/web-application-firewall/ag/custom-waf-rules-overview
https://learn.microsoft.com/en-gb/azure/web-application-firewall/ag/create-custom-waf-rules#example-6

If you use Azure Application Gateway Web Application Firewall (WAF) SKU, you can opt for WAF exclusion lists. WAF exclusion lists allow you to omit certain request attributes from a WAF evaluation. Once an attribute is added to the WAF exclusion list, it isn't considered by any configured and active WAF rule. Exclusion lists are global in scope. And this is helpful in excluding attributes which may trigger a false positive from the WAF rules. The exclusion lists remove inspection of the field's value and some of them are as below:
Request Headers, Request Cookies, Form field name, JSON entity & URL query string args.

For more details, please refer the below docs: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration#waf-exclusion-lists
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot#fixing-false-positives

In case you are using WAF v1 SKU and the exclusion list feature doesn't help you achieve your requirement, you may try migrating to WAF v2 and use custom rules. If you want to migrate from v1 to v2 SKU, follow the steps in the below article:
https://learn.microsoft.com/en-us/azure/application-gateway/migrate-v1-v2

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Michael Broadhead 21 Reputation points

2022-01-07T12:48:22.117+00:00
Thank you,

So I'm to assume that in order to whitelist a requesturi such as as /ABCDEFG/Appfolder/SaveGroup, it must be done using Powershell as per the following link you provided:
https://learn.microsoft.com/en-gb/azure/web-application-firewall/ag/create-custom-waf-rules#example-6

As I see the only available exclusions using the portal are:

Request header name

Request cookie name

Request attribute name

Thank you
Michael Broadhead 21 Reputation points

2022-01-07T14:11:27.197+00:00

Further to this I have seen the new 'Azure WAF Policy' resource that can be used for custom rule creation including the management of requesturi etc.
I believe this may help in this situation
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-01-07T14:26:28.023+00:00

Hello @Anonymous ,

The example you are referring uses Custom rules from WAF v2 SKU and it can configured via Azure portal as well.
Refer : https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/create-waf-policy-ag#custom-rules

If you are using WAF/WAF v1 SKU, then you can set the exclusion list as per the below example:
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration#example-2
However, the exclusion lists only remove inspection of the field's value for URL query string args.
As shown in example,
if the URL http://www.contoso.com/?user%281%29=fdafdasfda is passed to the WAF, it won't evaluate the string fdafdasfda, but it will still evaluate the parameter name user%281%29.

From your query, it looks like you want to whitelist a requesturi such as as /ABCDEFG/Appfolder/SaveGroup which belongs to the path of an URL, and not to query arguments. Query arguments follow the ? in the url, as example: https://www.microsoft.com/this_is_the_path?this_is_a_query_argument=1

So, WAF exclusion list may not be of help in your case. And it would be a better to migrate to WAF v2 SKU and use custom rules.
If you are already using WAF v2 SKU, then associate a WAF policy and configure custom rules with request uri block as below:

Regards,
Gita
Dharma Teja Peesapati 0 Reputation points

2023-07-14T16:16:44.0966667+00:00

Hi @GitaraniSharma-MSFT , I'm also have the requirement to whitelist few URLs (8-15) in Azure WAF. I tried configuring a custom rule in which the to allow the URI but it's getting blocked and getting the error 403- Forbidden. Is there any way to fix this. I'm even open for a call to show the demo. We need to implement this to perform further testing by application teams.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-07-17T15:11:01.1866667+00:00

@Dharma Teja Peesapati , could you please share the WAF log which shows the block and the screenshot of the custom rule created by you?

Share via

Azure WAF Whitelist requesturi

0 additional answers

Your answer