Is it possible to exclude certain WAF rules for a particular url path?

Question

The use case is that the WAF is firing some SQL injection rules for a certain endpoint. We are pretty sure that there is no risk of SQL injection in that endpoint because it is using EF and I wanted to exclude certain rules of the policy in that path.

The problem:
I can match the requestUri in the custom rules but not in exclusions. in custom rules I can't select rules of the policy as I can in exclusions therefore, if I match the path and allow it will be for all rules not for the ones I want to exclude

Answer

Hi @Kelvin Ekonomi

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I can match the requestUri in the custom rules but not in exclusions. in custom rules I can't select rules of the policy as I can in exclusions therefore, if I match the path and allow it will be for all rules not for the ones I want to exclude

Yes, you're correct. Please share your feedback in the form.

Is it possible to exclude certain WAF rules for a particular url path?

This is not possible using exclusion in the WAF. If you would like this feature, please share your feedback in the form.

If you wish you may upvote the feedback in the below forum requesting this feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

https://feedback.azure.com/d365community/idea/60cfcfda-502f-ed11-a81b-000d3ae3db6e

If above is unclear and/or you are unsure about something add a comment below.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Regards,

Rohith

Share via

Is it possible to exclude certain WAF rules for a particular url path?

1 answer

Your answer