Share via

Is it possible to exclude URLs in Application Gateway WAF?

Sheik Mohamed Yasar 105 Reputation points
2023-12-26T19:58:53.8833333+00:00

Hello,

I have an Application Gateway with WAF in preventive mode. Can I exclude some URLs or implement custom rules for URLs or IPS with this configuration?

I know this is possible with Azure WAF, but I'm not sure if it's supported with the WAF inside the Application Gateway. Please assist me with this.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,107 questions
Accepted answer
  1. GitaraniSharma-MSFT 49,691 Reputation points Microsoft Employee
    2024-01-05T10:55:36.7233333+00:00

    Hello @Sheik Mohamed Yasar ,

    I understand that you would like to know if it is possible to exclude URLs in Application Gateway WAF.

    If you use Azure Application Gateway Web Application Firewall (WAF) v2 SKU, then you can make use of custom rules to achieve your requirement. Custom rules allow you to create your own rules that are evaluated for each request that passes through the WAF. Custom rules in WAF v2 allows you to configure RequestUri match variable.

    For more details, please refer the below docs:

    https://zcusa.951200.xyz/en-gb/azure/web-application-firewall/ag/custom-waf-rules-overview

    https://zcusa.951200.xyz/en-us/azure/web-application-firewall/ag/create-custom-waf-rules

    User's image

    Custom rules are only available with Application gateway WAF v2 with WAF policy configuration.

    From your screenshot, it looks like you are using the legacy WAF configuration.

    In case you are using Application Gateway WAF v2 SKU with legacy WAF, then you can upgrade your WAF legacy configuration to WAF policy directly without any downtime.

    Refer: https://zcusa.951200.xyz/en-us/azure/web-application-firewall/ag/upgrade-ag-waf-policy?tabs=portal#upgrade-waf-v2-with-legacy-waf-configuration-to-waf-policy

    Also, validate if you are using Application gateway WAF V2 SKU or V1 SKU.

    Application Gateway v1 doesn't support WAF policy or custom rules. So, in case you are using Application Gateway WAF v1 SKU, you should migrate your Application Gateway v1 to v2 version and then upgrade legacy WAF configuration to WAF policy to make use of custom rules.

    Refer: https://zcusa.951200.xyz/en-us/azure/application-gateway/migrate-v1-v2

    https://zcusa.951200.xyz/en-us/azure/web-application-firewall/ag/upgrade-ag-waf-policy?tabs=portal#upgrade-application-gateway-v1-to-waf-v2-with-waf-policy

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kelvin Ekonomi 0 Reputation points
    2025-01-08T17:24:30.4633333+00:00

    With the custom rules you are excluding all rules and there is no way to select only certain rules as consequence.

    Is there a way to match the requestUri in exclusions, that way you could exclude only certain rules.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.