Configure a custom response for Azure Web Application Firewall

By default, when Azure Web Application Firewall (WAF) with Azure Front Door blocks a request because of a matched rule, it returns a 403 status code with The request is blocked message. This article describes how to configure a custom response status code and response message when a request is blocked by WAF.

Set up your PowerShell environment

Azure PowerShell provides a set of cmdlets that use the Azure Resource Manager model for managing your Azure resources.

You can install Azure PowerShell on your local machine and use it in any PowerShell session. Follow the instructions on the page, to sign in with your Azure credentials, and install the Az PowerShell module.

Connect to Azure with an interactive dialog for sign-in

Connect-AzAccount
Install-Module -Name Az

Make sure you have the current version of PowerShellGet installed. Run below command and reopen PowerShell.

Install-Module PowerShellGet -Force -AllowClobber

Install Az.FrontDoor module

Install-Module -Name Az.FrontDoor

Create a resource group

In Azure, you allocate related resources to a resource group. In this example, you create a resource group by using New-AzResourceGroup.

New-AzResourceGroup -Name myResourceGroupWAF

Create a new WAF policy with custom response

Below is an example of creating a new WAF policy with custom response status code set to 405 and message to You are blocked. using New-AzFrontDoorWafPolicy.

# WAF policy setting
New-AzFrontDoorWafPolicy `
-Name myWAFPolicy `
-ResourceGroupName myResourceGroupWAF `
-EnabledState enabled `
-Mode Detection `
-CustomBlockResponseStatusCode 405 `
-CustomBlockResponseBody "<html><head><title>You are blocked.</title></head><body></body></html>"

Modify custom response code or response body settings of an existing WAF policy, using Update-AzFrontDoorFireWallPolicy.

# modify WAF response code
Update-AzFrontDoorFireWallPolicy `
-Name myWAFPolicy `
-ResourceGroupName myResourceGroupWAF `
-EnabledState enabled `
-Mode Detection `
-CustomBlockResponseStatusCode 403
# modify WAF response body
Update-AzFrontDoorFireWallPolicy `
-Name myWAFPolicy `
-ResourceGroupName myResourceGroupWAF `
-CustomBlockResponseBody "<html><head><title> Forbidden</title></head><body></body></html>"

Next steps