Edit

Configure web application firewall exclusion lists

  • Article

Sometimes Azure Web Application Firewall in Azure Front Door might block a legitimate request. As part of tuning your web application firewall (WAF), you can configure the WAF to allow the request for your application. WAF exclusion lists allow you to omit specific request attributes from a WAF evaluation. The rest of the request is evaluated as normal. For more information about exclusion lists, see Azure Web Application Firewall with Azure Front Door exclusion lists.

An exclusion list can be configured by using Azure PowerShell, the Azure CLI, the REST API, Bicep, Azure Resource Manager templates, and the Azure portal.

Scenario

Suppose you've created an API. Your clients send requests to your API that include headers with names like userid and user-id.

While tuning your WAF, you notice that some legitimate requests were blocked because the user headers included character sequences that the WAF detected as SQL injection attacks. Specifically, rule ID 942230 detects the request headers and blocks the requests. Rule 942230 is part of the SQLI rule group.

You decide to create an exclusion to allow these legitimate requests to pass through without the WAF blocking them.

Create an exclusion

  1. Open your Azure Front Door WAF policy.

  2. Select Managed rules > Manage exclusions.

    Screenshot that shows the Azure portal showing the WAF policy's Managed rules page, with the Manage exclusions button highlighted.

  3. Select Add.

    Screenshot that shows the Azure portal with the exclusion list Add button.

  4. Configure the exclusion's Applies to section:

    Field Value
    Rule set Microsoft_DefaultRuleSet_2.0
    Rule group SQLI
    Rule 942230 Detects conditional SQL injection attempts

  5. Configure the exclusion match conditions:

    Field Value
    Match variable Request header name
    Operator Starts with
    Selector User

  6. Review the exclusion, which should look like the following screenshot:

    Screenshot that shows the Azure portal showing the exclusion configuration.

    This exclusion applies to any request headers that start with the word user. The match condition is case insensitive, so headers that start with User are also covered by the exclusion. If WAF rule 942230 detects a risk in these header values, it ignores the header and moves on.

  7. Select Save.

Define an exclusion selector

Use the New-AzFrontDoorWafManagedRuleExclusionObject cmdlet to define a new exclusion selector.

The following example identifies request headers that start with the word user. The match condition is case insensitive, so headers that start with User are also covered by the exclusion.

$exclusionSelector = New-AzFrontDoorWafManagedRuleExclusionObject `
  -Variable RequestHeaderNames `
  -Operator StartsWith `
  -Selector 'user'

Define a per-rule exclusion

Use the New-AzFrontDoorWafManagedRuleOverrideObject cmdlet to define a new per-rule exclusion, which includes the selector you created in the previous step.

The following example creates an exclusion for rule ID 942230.

$exclusion = New-AzFrontDoorWafManagedRuleOverrideObject `
  -RuleId '942230' `
  -Exclusion $exclusionSelector

Apply the exclusion to the rule group

Use the New-AzFrontDoorWafRuleGroupOverrideObject cmdlet to create a rule group override, which applies the exclusion to the appropriate rule group.

The following example uses the SQLI rule group because that group contains rule ID 942230.

$ruleGroupOverride = New-AzFrontDoorWafRuleGroupOverrideObject `
  -RuleGroupName 'SQLI' `
  -ManagedRuleOverride $exclusion

Configure the managed rule set

Use the New-AzFrontDoorWafManagedRuleObject cmdlet to configure the managed rule set, including the rule group override that you created in the previous step.

The following example configures the DRS 2.0 rule set with the rule group override and its exclusion.

$managedRuleSet = New-AzFrontDoorWafManagedRuleObject `
  -Type 'Microsoft_DefaultRuleSet' `
  -Version '2.0' `
  -Action Block `
  -RuleGroupOverride $ruleGroupOverride

Apply the managed rule set configuration to the WAF profile

Use the Update-AzFrontDoorWafPolicy cmdlet to update your WAF policy to include the configuration you created. Ensure that you use the correct resource group name and WAF policy name for your own environment.

Update-AzFrontDoorWafPolicy `
  -ResourceGroupName 'FrontDoorWafPolicy' `
  -Name 'WafPolicy'
  -ManagedRule $managedRuleSet

Create an exclusion

Use the az network front-door waf-policy managed-rules exclusion add command to update your WAF policy to add a new exclusion.

The exclusion identifies request headers that start with the word user. The match condition is case insensitive, so headers that start with User are also covered by the exclusion.

Ensure that you use the correct resource group name and WAF policy name for your own environment.

az network front-door waf-policy managed-rules exclusion add \
  --resource-group FrontDoorWafPolicy \
  --policy-name WafPolicy \
  --type Microsoft_DefaultRuleSet \
  --rule-group-id SQLI \
  --rule-id 942230 \
  --match-variable RequestHeaderNames \
  --operator StartsWith \
  --value user

Example Bicep file

The following example Bicep file shows how to:

  • Create an Azure Front Door WAF policy.
  • Enable the DRS 2.0 rule set.
  • Configure an exclusion for rule 942230, which exists within the SQLI rule group. This exclusion applies to any request headers that start with the word user. The match condition is case insensitive, so headers that start with User are also covered by the exclusion. If WAF rule 942230 detects a risk in these header values, it ignores the header and moves on.
param wafPolicyName string = 'WafPolicy'

@description('The mode that the WAF should be deployed using. In "Prevention" mode, the WAF will block requests it detects as malicious. In "Detection" mode, the WAF will not block requests and will simply log the request.')
@allowed([
  'Detection'
  'Prevention'
])
param wafMode string = 'Prevention'

resource wafPolicy 'Microsoft.Network/frontDoorWebApplicationFirewallPolicies@2022-05-01' = {
  name: wafPolicyName
  location: 'Global'
  sku: {
    name: 'Premium_AzureFrontDoor'
  }
  properties: {
    policySettings: {
      enabledState: 'Enabled'
      mode: wafMode
    }
    managedRules: {
      managedRuleSets: [
        {
          ruleSetType: 'Microsoft_DefaultRuleSet'
          ruleSetVersion: '2.0'
          ruleSetAction: 'Block'
          ruleGroupOverrides: [
            {
              ruleGroupName: 'SQLI'
              rules: [
                {
                  ruleId: '942230'
                  enabledState: 'Enabled'
                  action: 'AnomalyScoring'
                  exclusions: [
                    {
                      matchVariable: 'RequestHeaderNames'
                      selectorMatchOperator: 'StartsWith'
                      selector: 'user'
                    }
                  ]
                }
              ]
            }
          ]
        }
      ]
    }
  }
}

Next steps

Learn more about Azure Front Door.