Azure Gateway WAF policy does not work with Application Gateway

Frank Schullerer 141 Reputation points


if I create a application gateway directly with a WAF V2 configuration like here:


malicious requests are blocked with http code 403 like expected (also seen in logs). Everything works.

But if I create a "Application Gateway WAF policy" and connect it to a Application Gateway like here:



absolutley nothing is blocked (tested with same requets)
and also no block message in the logs. Can someone please give me a hint what I am doing wrong?

Thanks in advance


Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
851 questions
0 comments No comments
{count} votes

Accepted answer
  1. ChaitanyaNaykodi-MSFT 17,976 Reputation points Microsoft Employee

    Hello @Frank Schullerer , If I have understood the question correctly, you have associated a WAF policy to your application gateway, but neither of the requests are blocked and no block messages are logged. This issue might be because the WAF policy is not correctly associated properly with App Gateway.

    As per the documentation here the new WAF Policy associated with Ap Gateway must be exactly the same as the current WAF config, meaning every custom rule, exclusion, disabled rule, etc. must be copied into the new Policy you are creating. Once you have a Policy associated with your Application Gateway, then you can continue to make changes to your WAF rules and settings.

    If you don't want to copy everything into a policy that is exactly the same as your current config, you can set the WAF into "force" mode. If this is the case, you run below PowerShell commands and see if the policy is then associated correctly.

       $appgw = Get-AzApplicationGateway -Name <your Application Gateway name> -ResourceGroupName <your Resource Group name>  
       $appgw.ForceFirewallPolicyAssociation = $true  
       $gw = Get-AzApplicationGateway -Name <your Application Gateway name> -ResourceGroupName <your Resource Group name>  
       $policy = Get-AzApplicationGatewayFirewallPolicy -Name <WAF policy name> -ResourceGroupName <your Resource Group name>  
       Set-AzApplicationGatewayFirewallPolicy -InputObject $policy  
       $gw.FirewallPolicy = $policy  
       Set-AzApplicationGateway -ApplicationGateway $gw  

    Hope this helps! Please let me know if the issue still persists, I will be glad to continue with our discussion. Thank you!

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful