question

SukirtiSen-2775 avatar image
0 Votes"
SukirtiSen-2775 asked SukirtiSen-2775 commented

Application Gateway WAF Request Headers configuration

Hi,

We have an application for which we have been receiving complaints of 403 errors at the application gateway level. Now, below is the snapshot of the request headers of the site
102573-screen-shot.png



So, we want to exclude all WAF blocks if the header contains the work Cookie as shown in the screen shot.
We went to the WAF configuration and added an exclusion rule - request header > equals> Cookie.
But we still received requests which were blocked by the WAF based on evaluating the cookie parameter, one example of a request that was blocked is shown here (this is from the details_message_s field in the WAF access logs)
Warning. Pattern match \"(/\*!?|\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]?-)|([^\-&])#.?[\\s\\r\\n\\v\\f]|;?\\x00)\" at REQUEST_COOKIES:_gtrza ....
Now, we want WAF NOT to evaluate any rules if the request header contains the tern 'Cookie'. We have also tried adding exclusion criteria to request cookies in the WAF configuration, something like request cookies > starts with > _gtrza for this case. This works for this case,but after some days we will get a request being blocked where REQUEST_COOKIES will be something other than _gtrza. Till now we already have more than 10 such cookie exclusion configuration, hence we want the WAF to not evaluate anything that has the term cookie in the header OR something like - request cookies > starts with >*(ALL AND ANY VALUE)

azure-application-gateway
screen-shot.png (28.2 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

any suggestions if this will work with setting
Request headers > equals > Cookie:
OR
Request cookie > Equals any
Ref info from MSFT azure documentation as stated below
The following are the supported match criteria operators:
• Equals: This operator is used for an exact match. As an example, for selecting a header named bearerToken, use the equals operator with the selector set as bearerToken.
• Starts with: This operator matches all fields that start with the specified selector value.
• Ends with: This operator matches all request fields that end with the specified selector value.
• Contains: This operator matches all request fields that contain the specified selector value.
• Equals any: This operator matches all request fields. * will be the selector value.
In all cases matching is case insensitive and regular expression aren't allowed as selectors.



0 Votes 0 ·

Hello @SukirtiSen-2775,

Could you please provide an update on this post?


Kindly let us know if the below helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

0 Votes 0 ·

1 Answer

RaviVarmanMSFT-5919 avatar image
0 Votes"
RaviVarmanMSFT-5919 answered SukirtiSen-2775 commented

HI @SukirtiSen-2775

If you are configuring exclusion for specific cookie then
Request cookie name > Equals > Cookiename (Selector)

If you are configuring exclusion for all cookies then go with below config
Request cookie name > Equals any

Equals any: This operator matches all request fields. * will be the selector value.

Ref: https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration

Hope this was helpful. Please let us know in case of any additional questions or concerns.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sorry for the late answer, Request cookie name > Equals any is correct

0 Votes 0 ·