Share via

waf custom rules are not working

Juan Manuel Rueda Lopez 11 Reputation points
2022-01-21T08:44:35.363+00:00

708 / 5.000
Resultados de traducción
I have a web app behind an App Gw with WAF. I have some queries that are false positives and the managed rules are blocking.
I have configured a custom rule in the WAF so that when it matches a certain string in the RequestUri, that query is allowed.
According to Microsoft documentation when a query is matched and allowed by a custom rule, this query is no longer examined with any other custom rule or managed rule. The problem I have is that the managed rules keep blocking these queries.
Is the expected performance as described? When you match a custom rule and input is allowed, is it no longer examined by the managed rules?
Thanks,
Juanma

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,106 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 26,951 Reputation points Microsoft Employee
    2022-01-25T12:23:22.367+00:00

    Hello @Juan Manuel Rueda Lopez , Thank you for reaching out to Microsoft Q&A. We apologize for the delay in responding to your question.

    Is the expected performance as described? When you match a custom rule and input is allowed, is it no longer examined by the managed rules?

    Your understanding is correct. As per the documentation here custom rules are processed before processing the rules in a managed rule set. Custom rules hold a higher priority than the rest of the rules in the managed rule sets and once a match is processed, rules with lower priorities aren't processed further.

    You can below troubleshooting steps

    1. You can validate if the custom rule is set properly, especially the NegationConditon you can refer to the examples mentioned here.
    2. You can also validate the priority set for the custom rule as it determines the rule valuation order. The lower the value, the earlier the evaluation of the rule.

    If the issue still persists can you please provide more information regarding custom rule set, a sample example of the request query string will be helpful. Please let me know if you have any additional questions. Thank you!

    0 comments
  2. Juan Manuel Rueda Lopez 11 Reputation points
    2022-01-27T12:57:15.263+00:00

    Thank you @ChaitanyaNaykodi-MSFT for your reply.

    I have continued to work on the problem but have not been able to solve it. I tell you the configuration that I have and that I think should work.

    I have this custom rule with priority 1. The custom rule searches the RequestUri for the string /api/graphql and if it matches the action is Allow, so it should stop checking custom and managed rules and send the query to the backends . The following image is the configuration of the custom rule.

    169063-image.png

    However, if I search the App Gw log with the following query:
    "AzureDiagnostics
    | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog" and hostname_s == "xxx.xxx.com" and requestUri_s contains "/api/graphql"

    It returns me that there are queries with the requesturi /api/graphql and that they have been evaluated by the managed rules and therefore it will block them. It is a false positive and that is why I want them not to be blocked. The waf policy is in detection mode.

    169018-image.png

    I don't know if you see something that I'm doing wrong in the custom rule or in the log lines that I hit you.
    Thanks in advance for your help.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.