Share via

WAF v2 - Exclusion lists

000 0 Reputation points
2023-11-28T17:09:07.2466667+00:00

Hi,

I configured an Application Gateway with Web Application Firewall in Azure.

I am receiving several false positive blocks for the application that communicates with the gateway.

I checked the Microsoft tutorial on the exclusion list, but I'm not sure what are the recommended ways to perform the analysis and release these false positives.

The blocks are falling into the categories of APPLICATION-ATTACK-SQLI and BLOCKING-EVALUATION

Could you tell me how and what the best strategy is, also thinking about security and how to treat these false positives, and exclusion rules within the WAF.

https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal

Thanks in advance
Regards,

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
981 questions
Azure Web Application Firewall

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 48,196 Reputation points Microsoft Employee
    2023-11-29T08:22:36.36+00:00

    Hello @000 ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you are receiving several false positive blocks for your Application gateway WAF v2 and would like to know the recommended ways to perform the analysis and fix these false positives.

    First you need to make sure that the diagnostic setting is enabled on the Application gateway to collect the WAF logs.

    Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-metrics#azure-monitor

    https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-logs

    To check the WAF logs, please refer:

    https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/log-analytics

    Once you get the logs, you can refer the below document to understand the WAF logs:

    https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot#understanding-waf-logs

    It's entirely normal, and expected in many cases, to create exclusions, custom rules, and even disable rules that may be causing issues or false positives. Per-site and per-URI policies allow for these changes to only affect specific sites/URIs.

    So, once you find the requests in the logs which are causing the false positives, you can create exclusions or custom rules or disable the rule entirely depending upon the scenario.

    Exclusions: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal

    Custom rules: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview

    https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/create-custom-waf-rules

    If you need help in configuring exclusion rule, please share the WAF log which is blocking the request, and we could formulate the exclusion rule for the same.

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments