The 'OWASP 3.0' (3.0.0) WAF rule set generates a lot of false positives, even on random base64 payloads. The only option is to disable many rules.
2 examples which frequently trigger on SAML authentication exchanges are 932140 (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/671) and 941120 (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/675).
OWASP CRS 3.0.2 reworked some rules, in order to reduce some of these false positives. Please support CRS 3.0.2 (either as an in-place upgrade for 3.0.0, or as a new option).147 votes
Thanks for your feedback. This is planned as a new supported RuleSet.
When we have the WAF set to prevention mode some of our HTTP post are denied with code 413.
Request body no files data length is larger than the configured limit (131072).. Deny with code (413)
Can you make these two settings configurable on the WAF?
Thanks for your feedback. This is planned as part of global waf configurable parameters.
Currently, Application Gateway rules support only path matches with a wildcard at the end of the string.
For us it means to rework our routing strategy as the first part of our route is dynamic /<domain>/<controller> (eg. /sales/process). The controllers are shared among domains. Domains can be dynamically created, what disallow us to directly use the current feature to separate only 'process' controller to standalone backend pool.
We would prefer to be able to define something like '/[a-z]]+/process.*' as a matching criterion.139 votes
An Azure Application Gateway subnet can't have a UDR with a default route through an Network Virtual Appliance FW or Backend Health will be "unknown" This is due to asynchronous routing between the Azure Monitoring Service, the App Gateway, and the NVA FW. We need a way to create a route exception in the UDR for the Azure Monitoring Services traffic.88 votes
Traditional loadbalancers support the following states, to facilitate performing maintenance on a system of multiple nodes gracefully:
Enabled (All traffic allowed)
Disabled (Only persistant or active connections allowed)
Force Offline (only active connections allowed)
When a application gateway node is "unhealthy" it only allows active connections. We are looking for a way to force a node into an "unhealthy" state.
The currently supported method is to use a custom probe that checks a file/path. I would like a solution that doesn't involve making changes on the server going into maintenance mode.46 votes
This is being worked on currently.
In some cases, the timestamp in TCP option is concerned about a security risk.
So I want a function to make it disable in Application Gateway.
TCP option is the setting in OS layer, so it may need a change in OS for Application Gateway.13 votes
Hi MS team,
Could you enable the 'Edit' option for the Listeners we are configuring in the Application gateway. This will be really helpful if we decide to change our certificate.
Although we can do a workaround of deleting the listener and creating new one, but that needs some time investigating it, so I feel Edit option is a much better and easy approach for clients.
Thank you for your suggestion, we have plans to include this in our roadmap.
Currently, I know Azure Application Gateway has a function for redirection of URL path based.
Now, I need a function for rewriting URL path during redirecting a request to backend server.
For example, When Application Gateway received a HTTP request to http://www.contoso.com/test/*, it redirects the request as /images/* to backend server.
In other words, I want to set a URL path for backend server in PathRuleConfig in Application Gateway.79 votes
URL rewrite for Application Gateway v2 is currently in public preview! With this, you can now rewrite URL path and query string parameters based on a condition. The condition will be on request or response parameters.
Also, you get the ability to choose the routing to a backend pool based on the original URL or the rewritten URL.
The process of updating your existing SSL certificates on an application gateway is overly complicated. Focus on making this a better user experience that doesn't require power shell and with clear instructions and documentation. Renewing SSL certificates isn't a task anyone wants to do and today's poor user experience is a detriment to the product.24 votes
Application Gateway is a combination of backend pool, backend HTTP settings, listeners, custom probes and rules. Most of the time, to make changes, it is necessary to update more than one of the above mentioned settings (pool, HTTP setting, listeners, rules). Each settings are placed on different UI blades and takes nearly 3 - 10 mins to make single setting change getting reflected.
Feedback: Make a Wizard kind of interaction that will enable to specify all desired setting changes at once, then let apply these changes in a single shot behind the scenes.9 votes
Thank you for your suggestion. We are currently working to improve this experience.
When we deploy SSL listener with default settings, ssl configuration in not very secure (although acceptable for some services). Popular checker https://www.ssllabs.com gives just B-rate for this. You can check recommendations for example looking at report for our sample AGW deployed with default settings https://www.ssllabs.com/ssltest/analyze.html?d=tb-ag-dev.textback.io9 votes
Default setting are for backward compatibility. Please use pre-configured SSL policy with the newer policies like AppGwSslPolicy20170401 or AppGwSslPolicy20170401S.
Sometimes we share differents hostnames with the same web site.
Currently, this means that we have to deploy differents listeners in order to provide access to the same backend pool.
With a 20 listeners limit this solution is a bit expensive...
Would it be possible to add multiple hostnames/sitenames to listener?
Thanks in advance102 votes
Wildcard host names in listeners for Application Gateway v2 is currently in public preview! You can configure host names with wildcard characters (* and ?) and up to 5 host names per listener with comma separated values.
We’d love for you to try it out and provide your valuable feedback. Learn more here – https://aka.ms/wildcardlistenerpreview
Support in Azure Security Center for Web Apps behind a WAF inside App Services.4 votes
Thanks for you feedback. We are reviewing this ask.
Ability to redirect incoming request to external webpage when all nodes in the backends pool are shutdown. Users will get this information information during maintenance/outage.12 votes
We are working on a maintenance page.
Occasionally we need to take one of the member in the pool for troubleshooting/debugging. This require to bring down the gateway at least 15-30 minutes. If possible to quickly enable/disable the member vm without long downtime.9 votes
Adding/removing backend pool member would not affect live traffic – even while updates are ongoing. Updates on the gateway today are slow and we are working on enhancing this experience. We have a private preview program ongoing currently, for quicker updates and you can sign up for it by emailing me.
We see 400 errors in Log Analytics. We don't see these connections on the web servers. We think the App gateway is dropping traffic. Support doesnt seem to know why this happens. We don't have enough good information to track these issues. requestQuery_s is blank, MS support cannot tell me what this is, let alone what it means if it is blank.
We need more information.7 votes
requestQuery_s contains the queryString. It might be that these requests did not have querystring in http request. Could you look at requestUri_s field to confirm?
Analysis via Log Analytics is useful, but it'd be nice to have some predefined reports or "blades" in Azure Portal to analyse events, throughput, capacity/utilization.21 votes
The size of Url for Application Gateway is 8k. But the size of Url query (as a part of Url) is only 2k.
It will be great if there are no limits for query size in Url.7 votes
Thank you for your suggestion. We are considering this for inclusion in our roadmap.
ESI can be a great feature for server side content based integration ( transclude of html fragments ) in a microservice architecture. For more information please read : ( https://gustafnk.github.io/microservice-websites/#integrating-on-content ).26 votes
Thank you for your suggestion. We are considering this for inclusion in our roadmap.
One of the customer wants capability to apply WAF rules to each path. Can you consider that?31 votes
Thank you for your suggestion. We are considering this for our roadmap.
- Don't see your idea?