4

I have an Azure Application Gateway Web Application Firewall using the OWASP 3.0 ruleset. I created a custom policy so I could create a custom rule which simply allows traffic if it's from a specific IP Address and it has a priority of 1. This is great and I can see log entries in the firewall logs that the rule has been matched. However, I also see log entries that some of the OWASP rules have been matched as well.

My question is whether or not it is possible to prevent further rule/ruleset processing for this specific ip address?

Improve this question

1 Answer 1

Reset to default
5

In WAF Application Gateway, custom policy takes precedence. So if you have a rule to allow certain IP and if that matches, the other rules of OWASP are not processed. The traffic is allowed.

This is the behavior as of today, please provide feedback in User voice if you have a different scenario.

Improve this answer
4
  • I don't think that's how it's working. See this query for the last 4 hours. imgur.com/a/EXwJqRO (sorry can't seem to paste images in comments). The image is for the last 4 hours as of this comment which is long after the custom whitelist rule was put in place. You can see more than just that rule is being logged.
    – devlife
    Apr 8, 2020 at 12:51
  • do you have any thoughts on my above comment?
    – devlife
    Apr 9, 2020 at 10:19
  • 1
    The action is to allow.Custom rules take priority over CRS. But you will still see the WAF logs. It is just for logging purpose. The traffic will just be allowed.
    – msrini-MSIT
    Apr 9, 2020 at 10:24
  • Thank you for the clarification.
    – devlife
    Apr 13, 2020 at 22:59

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.