Questions tagged [azure-waf]
Azure Web Application Firewall adds better web application security to layer 7 Azure Application Gateway service and is available in all Azure public regions.
azure-waf
77
questions
14
votes
4
answers
15k
views
Azure Front Door WAF is blocking .AspNet.ApplicationCookie
I'm wondering if anyone else has had this issue with Azure Front Door and the Azure Web Application Firewall and has a solution.
The WAF is blocking simple GET requests to our ASP.NET web application....
- 143
9
votes
0
answers
2k
views
Azure Gateway WAF - Diagnostics Issue
I'm trying to setup Azure WAF (v2) on my App Gateway (currently in detection mode first to handle false positive cases), however, I'm seeing this warning:
To view your detection logs, you must have ...
- 1,143
4
votes
1
answer
7k
views
How to whitelist an ip address in Azure WAF
I have an Azure Application Gateway Web Application Firewall using the OWASP 3.0 ruleset. I created a custom policy so I could create a custom rule which simply allows traffic if it's from a specific ...
- 15.7k
4
votes
0
answers
897
views
How to prevent false positive block in Azure WAF for password field
I'm using Azure Front door with a web application firewall policy. Managed rule set 1.0 is configured.
It all works pretty well, apart from the password field in the login page of my web site. I see ...
- 61
4
votes
0
answers
4k
views
Azure Application Gateway WAF: HTTP Error 400. The size of the request headers is too long
We've got an application hosted on a VM in Azure, which is behind a WAF that we've got a lot of trouble with for some users.
Some users are plagued by the HTTP Error 400. The size of the request ...
- 78
2
votes
2
answers
1k
views
SQL Server Reporting Services (SSRS) web portal not working with Azure Application Gateway v2
Has anyone had luck getting SSRS to work when behind a v2 Azure Application Gateway? The site loads, but randomly prompts for authentication and fails to render part of the site properly.
I first ...
2
votes
0
answers
125
views
Azure WAF rule blocks image upload request from application but allows from PostMan [closed]
Environment: We have a Windows application installed in the customer agents machine, a feature of this application is to upload images to the server via http post. These requests go through Azure ...
2
votes
0
answers
874
views
How to accept request body in base64 and convert to json before it reaches RestController in Spring boot
The azure waf is giving a sql injection rule match and rejecting with 403 if my request body in JSON has and sql keywords or special characters and we cannot disable the rule by our company policy.
I ...
- 53
1
vote
2
answers
1k
views
How to set Azure Web Application Firewall (WAF) logs via Terraforn?
I am trying to do this, via Terraform code:
However, I can not find how. Is it some obscure resource or it is not implemented at all ?
- 3,513
1
vote
1
answer
1k
views
Error in adding subnet while creating WAFV2 application gateway in azure
While adding subnet for creating a WAFV2 application gateway in azure, I tried to use the subnet used in WAFV1 gateway.
But it is showing an error "Subnet does not support application gateway ...
- 39
1
vote
2
answers
1k
views
Implement Azure WAF IP Restriction on specific sub-domains
We have a multi-tennant app, with each client's instance hosted on a sub-domain. E.g.:
client1.mydomain.com
client2.mydomain.com
To support this we have an App-Gateway in Azure with a wildcard ...
- 918
1
vote
1
answer
9k
views
How To Disable Azure WAF Mandatory rule?
{
"timeStamp": "2021-01-29T11:03:40+00:00",
"resourceId": "/SUBSCRIPTIONS/0000000000-0000000-0000000-000/RESOURCEGROUPS/resourcegroup/PROVIDERS/MICROSOFT....
- 63
1
vote
1
answer
84
views
Bicep code to deploy WAF policy for Azure Application gateway
I am trying to deploy a WAF policy for Application gateway with bicep. It should contain OWASP rule set 3.2. My code is as below:
param wafPolicyName string = 'mypolicy'
param location string = '...
- 2,147
1
vote
1
answer
1k
views
How to create an exclusion list for certain rules based on RequestUri on the Azure WAF policy associated with Azure Application Gateway?
I have a request URL :
www.<some-url>.com/submit
.
I can see that I can create exclusions based on args, headers and cookies in exclusion lists for the Azure WAF policy, however, I was hoping ...
- 1,551
1
vote
2
answers
903
views
Azure Application Gateway WAF Policy Custom Rule Update
I have an Application Gateway WAF policy.
I want to update the existing custom rule by adding another IP address.
How can I do this dynamically from Powershell or Azure CLI?
1
vote
1
answer
359
views
Azure application gateway v2
Could you please help me?
I currently work with Azure application gateway waf v2 and when I try to access an application it redirects me perfectly but it does not take the variables
for example when I ...
- 13
1
vote
0
answers
162
views
How to allow socket.io traffic go through an Azure Web Application Firewall
We apply the Azure Application Gateway Web Application Firewall (WAF) to provide additional preventions against malicious attacks such as SQL Injection, Cross-Site Scripting, etc on an Azure App ...
- 10.7k
1
vote
1
answer
394
views
How to bypass scanning of request body if it exceed max limit for Azure Application Gateway WAF policy
Is there any way we can scan request for < max request body size?, otherwise we want to bypass scan for request with contain attachment more than defined max size.
I tried custom rule but it didn't ...
- 23
1
vote
1
answer
328
views
Custom IP Range in Azure WAF
I need to log the traffic coming from a range of IP address in Azure WAF by having custom rules.
For example I need to log the traffic coming from IP range starting from 10.10.
From the Azure ...
- 111
1
vote
0
answers
532
views
Unable to query Azure WAF logs
I have been asked to use Powershell to query Azure WAS logs for blocked requests. I found https://cloudrobots.net/2021/03/07/download-azure-wav-v2-blocking-logs-w-powershell/ but am having some ...
- 769
1
vote
0
answers
137
views
Azure Web Application Firewall API
We have a problem with certain form inputs being blocked by the Azure WAF managed rules because one of our internal systems allows certain values and is not filtered by the WAF (different host.)
I'd ...
- 12.2k
1
vote
0
answers
142
views
Azure WAF Issue with WebSocket (OmniFaces )
I have a OmniFaces WebSocket deployed on tomcat. The WebSocket works fine on tomcat.
One of our client infrastructure setup is Azure WAF --> IIS --> Tomcat.
We have successfully tested the ...
- 391
1
vote
1
answer
333
views
Do I need a Web Application Firewall if my APIs are protected with OAuth?
I implemented a micro-service model and each API is protected using bearer token authentication... no service logic is executed unless a valid OAuth token is provided as part of the request header.
...
- 939
1
vote
0
answers
722
views
Customize WebOptimizer Cache Busting Algorithm
I am using ASP.NET Core Web Optimizer. It has cache busting feature that will append a unique string to the end of script or CSS links.
A sample of the appended string is like this: ....script.js?v=...
- 25.2k
1
vote
1
answer
727
views
Maximum Character allowed in Query string of WAF
Currently my WAF is blocking my query strings because of long query strings. Is there a way for WAF to allow long query strings? Otherwise what is the limit in characters that is allowed in the query ...
- 155
1
vote
2
answers
717
views
How do I point my webapp url to my frontdoor url?
Currently my app is being hosted on MYAPP.azurewebsites.net and my frontdoor is on MYAPP.azurefd.net. I want all my incoming traffic to route to azureFd so I can gain the benefits of the waf policy I ...
- 79
0
votes
1
answer
1k
views
Azure Frontdoor WAF policy is blocking requests even though I have rule disabled
I have a Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2019-10-01 policy for my web app. I pass in a token via the URL for some requests and sometimes this token has a double hyphen -- ...
- 605
0
votes
1
answer
5k
views
Terraform Error: Failed to query available provider packages
I'm trying to deploy a simple infrastructure in Azure through Terraform, the infrastructure is made of an Application Gateway (with Web Application Firewall, so the WAF_v2 version) with two virtual ...
- 151
0
votes
1
answer
304
views
Azure WAF - what's the difference among allow, log and disable?
Allow action will log requests.
Log action will log requests.
I don't know what's the difference between them.
If I don't want the rule to block requests. Disable it and change its action to Allow, ...
- 3,377
0
votes
1
answer
110
views
Plain English firing Modsecurity/WAF/CRS rules
What do you do about common English text firing off the CRS rules?
e.g. look at the phrases here, they all fire off a CRS alert. They are examples of reasonable text that a user could enter, and ...
- 2,320
0
votes
1
answer
678
views
Setup WAF for App Services without Application Gateway
I am searching for a way to enable WAF for my App Services but I don't want to use Application Gateway instead I am wondering if it is possible to configure WAF in the app services itself. Need some ...
0
votes
1
answer
752
views
May AD FS in Azure be protected by App Gateway or WAP server is required?
I have an AD FS server in a VM in Azure for test purpose. It is not for production and some downtime does not matter.
However it should be available on the Internet for SSO.
Can Azure App Gateway be ...
- 2,816
0
votes
1
answer
1k
views
How do determine Azure WAF rule that affect to my specific url
My request got 403 when access to url like this format
https://example.com/Test.aspx?param=https%3A%2F%2Fwww.test.com%2Fen-us%3F
I have read the document but I not sure which rule prevented my ...
- 61
0
votes
1
answer
49
views
How create Azure Front domains with pre-validated domain
I'm trying to validate FrontDoor custom domains using the Azure pre-validated domain.
I have web app origins that already validated their custom domains, and I wan't to be able to import them to the ...
- 804
0
votes
0
answers
71
views
How can I use an existing resource OR create a new one if it doesn't exist?
I need to add a security policy with an associated domain. However, the security policy may already exists with other domains and I will need to add to the domain list.
Normally, the idempotent ...
- 3,951
0
votes
0
answers
93
views
Using bicep to add a second domain to an existing Azure Security Policy
I need to add a security policy to a front door endpoint. I am using the following bicep.
resource security_policies 'Microsoft.Cdn/profiles/securitypolicies@2022-11-01-preview' = {
parent: ...
- 3,951
0
votes
1
answer
157
views
How to add CNAME for app service which is behind the WAF Application Gateaway?
I have one app service which has one custom domain(abc.com) and a default domain(something.azurewebsites.net). There is one WAF AG(Application gateway) infront of app service.
In the dns zone, I have ...
0
votes
0
answers
128
views
How to avoid Content-Length HTTP header is not numeric error on Azure app gateway
We have an asp.net mvc application hosted in azure app service. The WAF policy on application gateway is blocking a post request with the "403 Forbidden" error. On firewall log, we see below ...
- 23
0
votes
1
answer
381
views
Block traffic in azure front door based on claims
I have a scenario in which I want to block some requests.
There is a property set in Identity claims and I want to deny the request based on that property.
Let's say that claims have a proper named &...
- 11
0
votes
1
answer
567
views
How to dissociate WAF from Azure application gateway?
How to dissociate WAF from Azure application gateway?
I selected the WAF and clicked on associated application gateways. Selected the application gateway that needs to be dissociated from the WAF.
but ...
0
votes
1
answer
792
views
How to setup session affinity for Rest API in Azure App Service
I have a frontend app service (scaled up to 3 nodes) and a api app service (scaled up to 3 nodes) on Azure. When user enter the website, the request goes to frontend app service first and then ...
- 1
0
votes
1
answer
116
views
Using Azure WAF for my server(not in Azure)
I have a server at my home with static IP and website in IIS, which available from internet. I wanted to protect it by Azure Web Application Firewall, but it works only in Azure Virtual Network.
Can I ...
0
votes
0
answers
81
views
How can I fix this Azure WAF update error
getting this error
│ Error: waiting for update of Application Gateway: (Name "dev-waf-sec" / Resource Group "dev-network-rg"): Code="InternalServerError" Message="An ...
0
votes
1
answer
284
views
Update-AzFrontDoorWafPolicy - update particular managed rule action
I have Azure Front Door WAF policy and would like to change particular managed rule action using Powershell.
Here is my code:
$RuleOverride1 = New-AzFrontDoorWafManagedRuleOverrideObject -RuleId ...
- 11
0
votes
1
answer
738
views
How to configure NSG for WAF v2 Application Gateway subnet?
I want to configure Network Security Group(NSG) for my Application gateway(AG) subnet.
I tried to follow this doc - here but after applying the inbound rules to my NSG, I am getting timeout when ...
0
votes
1
answer
1k
views
Azure Application GW WAF custom rule not working
I have an App GW WAF v2 where I need to set up a custom rule to check for the presence of a Request Header. I couldn't get it to work. So next I set up a very simple check.
"customRules":[{
...
- 415
0
votes
1
answer
412
views
How can I filter out custom rules from Azure WAF logs?
I am using the following query to monitor Azure WAF, it works fine but I want to filter out custom rule hits from the query and only show blocks by MSFT Default Rulesets but I cannot find how to do ...
- 695
0
votes
1
answer
154
views
Update Azure FrontdoorPremium Web Application Firewall Policy by API
I'm trying to update an Frontdoor WAF policy by API following the article in the link below but I'm running into several issues.
-Article seems to be focused on Frontdoor Classic, not premium, so the ...
- 11
0
votes
1
answer
494
views
Azure WAF V2 false positive SQL Injection attacks on form entry data
We are using Azure ASE v3 to host our web app with Azure Application Gateway and WAF V2. We have been getting quite a lot of false positives on data our users enter into a form in the app.
For example
...
- 181