Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
By default, when Azure Web Application Firewall (WAF) on Azure Application Gateway blocks a request due to a matched rule, it returns a 403 status code with the message "The request is blocked." You can customize the response by configuring a custom status code and message to better suit your use case.
This article shows you how to configure a custom response page when Azure Application Gateway's Web Application Firewall (WAF) blocks a request using the Azure portal. You can also configure custom responses using the Azure CLI or PowerShell.
Important
Custom response in Azure Application Gateway Web Application Firewall (WAF) is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Configure a custom response status code and message
To customize the response status code and body, take the following steps:
Go to your Application Gateway WAF policy in the Azure portal.
Under Settings, select Policy settings.
Enter the custom response status code and response body in Block response status code and Block response body respectively.
Select Save.
In this example, we changed the default 403 response code to 429 and set a brief message stating, The request has been blocked.
Limitations
The following limitations apply when configuring custom responses for Azure Application Gateway WAF:
- You can enable up to 20 WAF policies with custom block response status code and body within one Application Gateway.
- You can use one of the following custom status codes: 200, 403, 405, 406, 429, 990, 991, 992, 993, 994, 995, 996, 997, 998, 999.
- The maximum size for the custom block response body is 32KB.
- You must use base64 encoding for the custom block response body when you use Azure Resource Manager (ARM) API.
- Custom block response status code and body aren't supported on Application Gateway for Containers WAF.