Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

How can we improve Azure Networking?

← Networking

WAF on Application Gateway needs a function to exclude some condition like a trusted node.

Now, Web Application Firewall feature would be available as part of Azure Application Gateway.

Currently, WAF on Application Gateway seems to not have a function to exclude from blocking access by any condition.
So, I would like to request to add this function for WAF on Application Gateway.

Acutually, Many WAF product could exclude particular access from blocking like a trusted node.

275 votes
Vote

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
T.Sato shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
triaged  ·  Adminazurecxpuservoice (Product Manager, Microsoft Azure) responded  · 

Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

10 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    Let's just look at one example.

    We use reCaptcha V2. When the form posts, WAF often rejects the request because of applying rule 942430 of rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf. Not every time, but often enough to be a problem.

    A function that would work, is one that gets called after WAF decided to raise the error state of the request. Pass in the equivalent of the log entry's JSON and the function can tell WAF if it should reverse its decision or not. In our case I can see from the JSON that the issue is with the reCaptcha postback form field and tell WAF to not penalize the caller.

  • Vasily commented  ·   ·  Flag as inappropriate

    Thank you for your instructions, Chris!
    Unfortunately, the custom rule approach does not work for us: our rule that allows traffic is triggered, but the request fails anyway because the Request Body Size Limit is a mandatory rule that cannot be overridden, AFAIU. There is a case in our web app when a big chunk of data is posted to the server in a "regular" request (not a file upload). We've set up a WAF v2 Policy with a custom rule that Allows traffic for this type of requests, alas, we're getting 413 Request too large error again!
    It's like we've hit the wall! Our WAF has been fully set up and tuned up for our web app, now we can't use it. While it could be possible to re-implement the problem request in our app, it would be very complex a task.
    It would be great if WAF allowed to exclude specific requests from the Inspection completely, including the body size!

    Can anyone suggest a solution or a workaround for the issue?
    Is Microsoft planning to address this issue in any way?
    Is it possible to override or ignore the Request Body Size Limit for certain requests?

    Thank you!

    P. S. What's also strange about the custom rule we've set up, in the firewall log, the action recorded for it is still Blocked! The Message, in the Details, nevertheless spells "Allowed":

    { "resourceId": "/SUBSCRIPTIONS/***/RESOURCEGROUPS/***/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WAFV2", "operationName": "ApplicationGatewayFirewall", "category": "ApplicationGatewayFirewallLog", "properties": {"instanceId":"appgw_3","clientIp":"***","clientPort":"","requestUri":"\/stocksimportdata\/nasdaq.aspx","ruleSetType":"","ruleSetVersion":"","ruleId":"40","message":"Mandatory rule. Cannot be disabled. Custom rule with name: excludeimpdata, priority: 40","action":"Blocked","site":"Global","details":{"message":"Access allowed (phase 2). Pattern match \\\"(importdata\/)\\\" at REQUEST_URI. ","data":"","file":"\\\"\/etc\/nginx\/modsec\/AppGw-CustomRules.txt\\\"","line":"2"},"hostname":"vm000003","transactionId":"AcDcAcAXocAJAcAcAcAcAcAm"}}

    I wonder if the Action value is simply hardcoded in the log generator - ?

  • Chris Butler commented  ·   ·  Flag as inappropriate

    IVE FOUND IT!!!

    You need to add an "Application Gateway WAF policy", which can only be done from badly/poorly documented Powershell scripts!

    Run this:

    $policies = New-AzApplicationGatewayFirewallPolicy -Name <YOUR_NEW_POLICY_NAME_HERE> -ResourceGroup <YOUR_RESOURCE_GROUP_NAME_HERE> -Location <YOUR_LOCATION_HERE>
    Set-AzApplicationGatewayFirewallPolicy -InputObject $policies

    This will add an Application Gateway WAF policy to the resource group specified. From there you get an item under the resource group in the Portal you can click in to and define custom rules! (see attachment).

    You then need to Associate the Policy to the Application Gateway(s) you want to use it with, then define your custom rules.These can be by IP Address, and Number or String matches on Request Method, String, URI (<- The big one!!), Headers and Body amongst other things.

    This saved my life!

  • Chris Butler commented  ·   ·  Flag as inappropriate

    How can MS even call this thing a WAF? It's usefulness is severely limited in it's current form.

    It's lacking some very, very standard features that almost every other WAF on the market has, such as.

    1. Country/Region Specific Blocking
    2. Ability to exclude specific URL/URI from triggering Rules

    That last one, in particular is killer, in order to exclude ONE specific website file/resource from being blocked we have to turn off the entire rule opening a massive hole. This goes against every sensible and best-practice approach to configuring a firewall.

    Ridonkulously bad!

    I've found this : https://docs.microsoft.com/en-us/azure/application-gateway/create-custom-waf-rules/ example 5 *seems* to suggest you could create a RequestURI exception with PowerShell, but without any better or more specific examples I'm unable to get it to work.

    This is so, so, so, SO critical to our company web farming our .NET/Angular2 application on Azure. We'd be better off going back to old school VMWare Virtual machines sitting behind a good old Sophos UTM9

  • _JJ_ commented  ·   ·  Flag as inappropriate

    The WAF blocks our CDN making it impossible to use services like MaxCDN. Please Microsoft, allow your WAF to allow/disallow certain requests based upon much more flexible rules. Disabling the WAF is our only option. It is useless!!

  • Anonymous commented  ·   ·  Flag as inappropriate

    Also the possiblity to make conditional access rules, like blocking / allowing only traffic from certain countries.

  • Dhruvin Gajjar commented  ·   ·  Flag as inappropriate

    The WAF is not much useful in its current version. It certainly needs more advanced configurations. For example, I need to lower the security of the waf just because the Microsoft AAD injects certain fields in the request body and request headers and there is no way for me to tell WAF to ignore the Easy Auth workflow related URLs from its inspection.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Yes, I couldn't agree more with this request.
    It would be a big improvement!
    As everybody said, we now have to lower the security, just because of one path (among thousands)!

  • Ed Gillett commented  ·   ·  Flag as inappropriate

    Yes - we really need more granular exclusions! Currently to address an issues on a single page, we have to disable an entire rule for the whole app :(

Networking: Application Gateway

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice