Hello @Richard ,
I understand that your WAF (v2) Managed rules are blocking a particular request, and you would like to know how to fix this.
We worked offline to understand the request and the respective WAF log triggering the block and below is the analysis:
From the browser trace, fiddler and WAF logs, we found that the block was triggering for the request body, but the request body contained random form data without any consistent key/name.
Till now, you were trying to configure exclusions on the Query String data (Request Arg Names / Keys / Values) using consistent values such as OpType, SessionKeepAlive, ControlID etc. but the form data was evaluated in isolation of the query string as the trigger was due to the request body and not the query string.
As mentioned in the Azure WAF document, WAF exclusion lists allow you to omit certain request attributes from a WAF evaluation, but the rest of the request is evaluated as normal:
Difference between Exclusion lists and Custom Rules:
Exclusions:
You define an exclusion based on 1st parameter in one URL
- Only the specific URL parameter is excluded
- If the URL has 2 parameters, the 2nd parameter is NOT excluded
- Entire request is still processed - validation continues
CustomRule:
You define a rule based on URL
- Entire request is allowed/blocked based on the matched rule - validation ends here
- No more rules processing
So, even when you use an exclusion with matchVariable such as Request Arg Names / Keys / Values using consistent values such as OpType, SessionKeepAlive, ControlID etc, the form data with random value is not considered as the form data is part of the request body and not query string and is not related to the parameter key/name you configured. And on top of that, the request body only has the random form data, there is no consistent key/name that can be used to create an exclusion for the request body.
Therefore, the only possibilities here are:
- Create a custom rule.
- Disable the managed rule triggering the block.
Since the query string has consistent parameters such as OpType and ControlID, you can create a custom rule to allow such requests to bypass the WAF.
Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview
But you mentioned that you try to avoid custom rules as much as possible and think the better option will be to disable the specific rule.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.