question

elundgren avatar image
0 Votes"
elundgren asked ·

WAF request size 128 kb

Hi,
We have a customer that has some request that exceeds the 128 kb limit.
Are there any plans to increase the limit?
Does the WAF have any value if we turn off the inspection of the request body?
Using Azure Application Gateway v2

azure-application-gateway
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered ·

Hello @elundgren ,

Welcome to Microsoft Q&A Platform. Thanks for posting your query.

Currently, the default value for request body size is 128 KB. If the customer requires bigger request body than the threshold which is 128 KB, they can go ahead and turn the request body inspection knob off and the request body will hit the backend servers without inspection by WAF. Not inspecting the body of a request introduces extra risk because any attack that is passed via the body will not be caught by WAF. It is recommended to inspect the entire request whenever possible.

Another workaround in this case would be to have a global WAF policy applied to the entire Application gateway, but then setup a specific waf policy (which disables body inspection) that only applies when the client request hits a specific listener, or a specific URI.
Please refer : https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/per-site-policies#apply-a-per-uri-policy-preview

There are plans to increase this limit and currently, it is in Private preview. There is no definitive ETA for Public preview or GA (General Availability) but the target is most likely by the end of this year. If you are interested in trying out the private preview, do let us know and we can check with the PG team regarding same.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

·
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

learn2skills avatar image
0 Votes"
learn2skills answered ·

HI @elundgren
Web Application Firewall request max size limits is 128 KB can't increase.

Refer answered question - lifted restriction for App Gateway is in private preview but no details on a tentative schedule for public preview or GA availability.

And you can ask with the product team on the product feedback form


If the Answer is helpful, please click Accept Answer and up-vote, this can be beneficial to other community members.


· 2 ·
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

elundgren avatar image elundgren ·

Hi @learn2skills,
Thank you for your quick response.

I'm aware of the current restrictions but I was more wondering if Msft has any plans on making any changes on that.

According to this feedback, this has been in planned state since 2018:
https://feedback.azure.com/forums/217313-networking/suggestions/33557275-azure-application-gateway-waf-mode-increase-limit

0 Votes 0 ·
learn2skills avatar image learn2skills elundgren ·

Hi,
From MSFT there is no exact details on a tentative scheduled plan, you can request to product team on this change.

0 Votes 0 ·