Application Gateway v2 WAF - RFI exclusions not working

Marco Lodini 46 Reputation points
2022-07-04T15:34:55.27+00:00

Hi everyone,
We are experiencing some problems in adding exclusions to rule 931130 RFI Attack: Off-Domain Reference
The logs say something like this:

details_message_s: Pattern match ^(?i:file|ftps?|https?)://(.)$; Begin With RequestHeaders:host at TX:rfi_parameter_..
details_data_s: Matched Data: https://contoso.sharepoint.com/*

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
917 questions
Azure Web Application Firewall
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 45,511 Reputation points Microsoft Employee
    2022-08-04T18:05:02.427+00:00

    Hello @Marco Lodini ,

    I understand that you were experiencing some problems in adding exclusions to rule 931130 RFI Attack: Off-Domain Reference in Application Gateway v2 WAF. The WAF log is as below :
    details_message_s: Pattern match ^(?i:file|ftps?|https?)://(.)$; Begin With RequestHeaders:host at TX:rfi_parameter_..
    details_data_s: Matched Data: https://contoso.sharepoint.com/<sharepoint site and folder path> found within TX:rfi_parameter_args:sharepointfolderurl: contoso.sharepoint.com/<sharepoint site and folder path>

    We discussed this issue offline and collected HAR file to analyze the issue further. We tried a couple of exclusions but they didn't work. So, we created a support case and apparently, it was a propagation delay. You ran tests too soon, before the system could update its configuration and hence the exclusions were not showing up.

    The issue was resolved by excluding the parameter name in the Request Args as below:
    Request args name contains sharepointfolderurl

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful