Azure Web Application Firewall
An Azure service that provides protection for web apps.
278 questions
1 answer
One of the answers was accepted by the question author.
XSS Filter - Category 3: Attribute Vector
This error is coming in azure waf logs so it is false promise or correct promise how to identify. How to resolve this issue any idea
asked 2023-12-21T09:23:28.09+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 37%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Sharanaiyya Swami
30
Reputation points
accepted 2024-01-08T07:23:50.69+00:00
Sharanaiyya Swami
30
Reputation points
0 answers
How to fix Failed to parse request body, Multipart request body failed strict validation
This error is coming in azure waf logs so it is false promise or correct promise how to identify. How to resolve this issue any idea
asked 2023-12-14T06:48:42.2366667+00:00
Sharanaiyya Swami
30
Reputation points
commented 2024-01-02T13:04:27.82+00:00
GitaraniSharma-MSFT
47,676
Reputation points Microsoft Employee
1 answer
Request Header Cookies Exclusion Causes 403
We need to exclude request cookies from evaluation for a number of OWASP rules as cookies often randomly generate threats that are false positives for legitimate users. There is no clear documentation on how to exclude REQUEST_COOKIES, so we tried adding…
asked 2023-12-26T20:21:16.69+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 6%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJG%3C/text%3E%3C/svg%3E)
Justin Griep
41
Reputation points
commented 2024-01-02T10:29:45.6033333+00:00
GitaraniSharma-MSFT
47,676
Reputation points Microsoft Employee
1 answer
One of the answers was accepted by the question author.
Confuse in Azure WAF behavior with different browsers
Hello, I have an Azure Application gateway (WAF) that prevention mode is enabled and the OWASP 3 and the Microsoft Bot rule are activate. I checked my web application with chrome and refresh and sent many requests with Chrome. Now I received 403…
asked 2023-12-20T23:28:57.28+00:00
Mohsen Akhavan
936
Reputation points
accepted 2023-12-22T21:14:38.7266667+00:00
Mohsen Akhavan
936
Reputation points
1 answer
False positives elimination in Azure WAF
Hello We have adopted for Azure WAF in our environment, as of now WAF is in detection mode we want to move it to prevention mode, but before doing it we want to identify which detections are legitimate and which are not. we have sentinel workbooks to…
asked 2023-12-07T09:16:58.44+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 97%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKN%3C/text%3E%3C/svg%3E)
Kondlyada, Navaneeth Reddy
0
Reputation points
commented 2023-12-14T12:21:13.5466667+00:00
GitaraniSharma-MSFT
47,676
Reputation points Microsoft Employee
2 answers
One of the answers was accepted by the question author.
WAF drop silently instead of returning 403
Hi, is it possible, when using WAF, silently drop requests, coming from forbidden clients, instead of returning 403? We are using custom rules, where allowed IP addresses are described. So all requests from remote location, which aren't in allowed list,…
asked 2023-12-08T15:25:45.0766667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 4%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVL%3C/text%3E%3C/svg%3E)
Volodymyr Litovka
121
Reputation points
commented 2023-12-13T12:33:25.0033333+00:00
Volodymyr Litovka
121
Reputation points
1 answer
One of the answers was accepted by the question author.
How to exception "920440 - URL file extension is restricted by policy" rule in some use-case without decrease security or risk?
Some times app and client needs to download the some DLL files and the WAF blocked request based on "920440 - URL file extension is restricted by policy" role. Show in the below sample log: requestUri_s:…
asked 2023-12-08T23:42:41.3366667+00:00
Mohsen Akhavan
936
Reputation points
edited a comment 2023-12-12T22:13:43.4033333+00:00
Mohsen Akhavan
936
Reputation points
2 answers
One of the answers was accepted by the question author.
Why does WAF block WebResource.axd / ScriptResource.axd?
In rule Microsoft_DefaultRuleSet-2.1-PROTOCOL-ENFORCEMENT-920440, among other things, it blocks WebResource.axd and ScriptResource.axd. The blocks are probably due to CVE-2010-3332 which have long since been patched. Why does WAF still have this as a…
asked 2023-02-26T04:13:27.6133333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 43%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
Steve Wardell
21
Reputation points
answered 2023-12-05T08:51:33.7933333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 30%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
Adam Page
0
Reputation points
1 answer
One of the answers was accepted by the question author.
How to resolve 403 errors for a service after changing WAF policy to protection mode?
We created a WAF policy with DETECTION mode on an application gateway but had to change it to PROTECTION mode as per security rules. Since then, there are 403 errors for one service. How can we resolve this issue?…
asked 2023-11-17T15:32:13.0766667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 75%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
Muthuramalingam, Bhuvaneswari
20
Reputation points
accepted 2023-12-05T07:14:55.34+00:00
Muthuramalingam, Bhuvaneswari
20
Reputation points
1 answer
WAF v2 - Exclusion lists
Hi, I configured an Application Gateway with Web Application Firewall in Azure. I am receiving several false positive blocks for the application that communicates with the gateway. I checked the Microsoft tutorial on the exclusion list, but I'm not sure…
asked 2023-11-28T17:09:07.2466667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 47%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E0%3C/text%3E%3C/svg%3E)
000
0
Reputation points
commented 2023-12-01T14:47:27.0866667+00:00
GitaraniSharma-MSFT
47,676
Reputation points Microsoft Employee
1 answer
Azure WAF success stories
Where can I find a report looking back two years on Azure WAF success stories?
asked 2023-11-26T21:04:11+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 70%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOA%3C/text%3E%3C/svg%3E)
Obinze Asagwara
0
Reputation points
commented 2023-11-30T06:20:41.3033333+00:00
KapilAnanth-MSFT
35,251
Reputation points Microsoft Employee
1 answer
One of the answers was accepted by the question author.
Azure WAF Exclusion Issue
Hi I'm trying to whitelist a request on the WAF. I have gone through the Microsoft URL and I know how to manage exclusions yet the exclusion keeps failing. Below is the request I need to add Below is my exclusion policy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 64%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
0 answers
How to associate WAF to an existing Application Gateway using REST API
Hello team, We have an existing application gateway, and I want to automate associating a WAF policy on this existing gateway. I am using Ansible URI module to achieve this, hence exploring API for WAF Association. I want to achieve association using…
asked 2023-11-22T17:43:21.6133333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 94%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
Ravalia Krutika Harishbhai
40
Reputation points
commented 2023-11-28T02:00:17.45+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT
23,031
Reputation points Microsoft Employee
1 answer
One of the answers was accepted by the question author.
Azure Gateway File Upload Limits (4GB) even if Policy to inspect body is disabled or exclusion rules applied
We are receiving the following HTTP errors when uploading files larger than 4GB. 413 Request Entity Too Large 413 Request Entity Too Large Microsoft-Azure-Application-Gateway/v2 According to official MS Azure documentation* its states the…
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 39%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHV%3C/text%3E%3C/svg%3E)
2 answers
One of the answers was accepted by the question author.
we cannot see the request in the firewall logs from application gateway
When we send the request from postman API request is getting success also seen in database(ssms), application gateway but we cannot see the request in the firewall logs what is the issues and how to solve this error we are using this below query in…
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
962 questions
Azure Web Application Firewall
Azure Web Application Firewall
An Azure service that provides protection for web apps.
278 questions
Azure ISV (Independent Software Vendors) and Startups
Azure ISV (Independent Software Vendors) and Startups
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.ISV (Independent Software Vendors) and Startups: A Microsoft program that helps customers adopt Microsoft Cloud solutions and drive user adoption.
111 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,911 questions
asked 2023-11-03T12:25:26.3333333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 69%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
Mayank Jain
260
Reputation points
accepted 2023-11-23T13:00:25.92+00:00
Mayank Jain
260
Reputation points
1 answer
One of the answers was accepted by the question author.
how to disable specific owasp 3.2 rule for a specific URI in azure waf v2
Hello, I need to ignore a specific OWASP rule in my WAF V2. I have multiple requests with different request URIs, for example, https://www.example.com/abc/def/xy In add exclusion, waf consider just the "Request headers," "Cookie,"…
asked 2023-11-17T13:33:35.8733333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 90%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
SLIMANI Smail OBS/DD
40
Reputation points
accepted 2023-11-22T09:50:30.0633333+00:00
SLIMANI Smail OBS/DD
40
Reputation points
1 answer
How do we configure alerts for azure web application firewall.
Hello, We are trying to configure alerts for azure-WAF mostly focusing on the blockers when there is a blocker on the firewall due to a request we have to receive alerts and information. Any suggestions could be helpful. Thanks.
asked 2023-11-08T10:38:22.6466667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 91%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
rohith v
0
Reputation points
commented 2023-11-21T14:08:59.4133333+00:00
GitaraniSharma-MSFT
47,676
Reputation points Microsoft Employee
1 answer
中国地区ssh可以登录微软云服务器,web页面无法访问
中国地区ssh可以登录微软云服务器,web页面无法访问搭建在微软云服务器上的web服务,
asked 2023-11-20T11:41:39.45+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 95%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
均 杨
0
Reputation points
answered 2023-11-21T02:51:33.3766667+00:00
ChaitanyaNaykodi-MSFT
23,031
Reputation points Microsoft Employee
1 answer
Azure Web Application Firewall- Microsoft_BotManagerRuleSet_1.0
This post is regarding the azure WAF unknown bots and its rules at the moment for us rule id 300700 'other bots' is being logging with errors for various API'S, i didn't see any information can anyone has more inputs on the existing issue will be…
asked 2023-11-08T07:31:22.3733333+00:00
rohith v
0
Reputation points
commented 2023-11-13T16:39:52.5766667+00:00
GitaraniSharma-MSFT
47,676
Reputation points Microsoft Employee
1 answer
One of the answers was accepted by the question author.
Best Approach to Restrict Browser Access to Azure Web App Services' Backend while Permitting Front-end and API Requests through Application Gateway with WAF
We have a setup consisting of Azure Web App Services for both front-end and back-end operations, integrated with an Application Gateway and a single Web Application Firewall (WAF) configured in a multitenant environment. Our primary concern is…
asked 2023-11-01T07:14:08.81+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 40%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
sindhu sneha
150
Reputation points
commented 2023-11-09T19:42:58.2366667+00:00
GitaraniSharma-MSFT
47,676
Reputation points Microsoft Employee