WAF on Application Gateway needs a function to exclude some condition like a trusted node.
Now, Web Application Firewall feature would be available as part of Azure Application Gateway.
Currently, WAF on Application Gateway seems to not have a function to exclude from blocking access by any condition.
So, I would like to request to add this function for WAF on Application Gateway.
Acutually, Many WAF product could exclude particular access from blocking like a trusted node.
T.Sato
shared this idea
Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature
11 comments
-
Anonymous
commented
Let's just look at one example.
We use reCaptcha V2. When the form posts, WAF often rejects the request because of applying rule 942430 of rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf. Not every time, but often enough to be a problem.
A function that would work, is one that gets called after WAF decided to raise the error state of the request. Pass in the equivalent of the log entry's JSON and the function can tell WAF if it should reverse its decision or not. In our case I can see from the JSON that the issue is with the reCaptcha postback form field and tell WAF to not penalize the caller.
-
Vasily
commented
Thank you for your instructions, Chris!
Unfortunately, the custom rule approach does not work for us: our rule that allows traffic is triggered, but the request fails anyway because the Request Body Size Limit is a mandatory rule that cannot be overridden, AFAIU. There is a case in our web app when a big chunk of data is posted to the server in a "regular" request (not a file upload). We've set up a WAF v2 Policy with a custom rule that Allows traffic for this type of requests, alas, we're getting 413 Request too large error again!
It's like we've hit the wall! Our WAF has been fully set up and tuned up for our web app, now we can't use it. While it could be possible to re-implement the problem request in our app, it would be very complex a task.
It would be great if WAF allowed to exclude specific requests from the Inspection completely, including the body size!Can anyone suggest a solution or a workaround for the issue?
Is Microsoft planning to address this issue in any way?
Is it possible to override or ignore the Request Body Size Limit for certain requests?Thank you!
P. S. What's also strange about the custom rule we've set up, in the firewall log, the action recorded for it is still Blocked! The Message, in the Details, nevertheless spells "Allowed":
{ "resourceId": "/SUBSCRIPTIONS/***/RESOURCEGROUPS/***/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WAFV2", "operationName": "ApplicationGatewayFirewall", "category": "ApplicationGatewayFirewallLog", "properties": {"instanceId":"appgw_3","clientIp":"***","clientPort":"","requestUri":"\/stocksimportdata\/nasdaq.aspx","ruleSetType":"","ruleSetVersion":"","ruleId":"40","message":"Mandatory rule. Cannot be disabled. Custom rule with name: excludeimpdata, priority: 40","action":"Blocked","site":"Global","details":{"message":"Access allowed (phase 2). Pattern match \\\"(importdata\/)\\\" at REQUEST_URI. ","data":"","file":"\\\"\/etc\/nginx\/modsec\/AppGw-CustomRules.txt\\\"","line":"2"},"hostname":"vm000003","transactionId":"AcDcAcAXocAJAcAcAcAcAcAm"}}
I wonder if the Action value is simply hardcoded in the log generator - ?
-
Chris Butler
commented
IVE FOUND IT!!!
You need to add an "Application Gateway WAF policy", which can only be done from badly/poorly documented Powershell scripts!
Run this:
$policies = New-AzApplicationGatewayFirewallPolicy -Name <YOUR_NEW_POLICY_NAME_HERE> -ResourceGroup <YOUR_RESOURCE_GROUP_NAME_HERE> -Location <YOUR_LOCATION_HERE>
Set-AzApplicationGatewayFirewallPolicy -InputObject $policiesThis will add an Application Gateway WAF policy to the resource group specified. From there you get an item under the resource group in the Portal you can click in to and define custom rules! (see attachment).
You then need to Associate the Policy to the Application Gateway(s) you want to use it with, then define your custom rules.These can be by IP Address, and Number or String matches on Request Method, String, URI (<- The big one!!), Headers and Body amongst other things.
This saved my life!
-
Chris Butler
commented
How can MS even call this thing a WAF? It's usefulness is severely limited in it's current form.
It's lacking some very, very standard features that almost every other WAF on the market has, such as.
1. Country/Region Specific Blocking
2. Ability to exclude specific URL/URI from triggering RulesThat last one, in particular is killer, in order to exclude ONE specific website file/resource from being blocked we have to turn off the entire rule opening a massive hole. This goes against every sensible and best-practice approach to configuring a firewall.
Ridonkulously bad!
I've found this : https://docs.microsoft.com/en-us/azure/application-gateway/create-custom-waf-rules/ example 5 *seems* to suggest you could create a RequestURI exception with PowerShell, but without any better or more specific examples I'm unable to get it to work.
This is so, so, so, SO critical to our company web farming our .NET/Angular2 application on Azure. We'd be better off going back to old school VMWare Virtual machines sitting behind a good old Sophos UTM9
-
_JJ_
commented
The WAF blocks our CDN making it impossible to use services like MaxCDN. Please Microsoft, allow your WAF to allow/disallow certain requests based upon much more flexible rules. Disabling the WAF is our only option. It is useless!!
-
Anonymous
commented
Also the possiblity to make conditional access rules, like blocking / allowing only traffic from certain countries.
-
Dhruvin Gajjar
commented
The WAF is not much useful in its current version. It certainly needs more advanced configurations. For example, I need to lower the security of the waf just because the Microsoft AAD injects certain fields in the request body and request headers and there is no way for me to tell WAF to ignore the Easy Auth workflow related URLs from its inspection.
-
Anonymous
commented
Yes, I couldn't agree more with this request.
It would be a big improvement!
As everybody said, we now have to lower the security, just because of one path (among thousands)! -
Steve Lavoie
commented
As it is, the WAF is only applicable as a front-end for a monolithic web application. I am hosting multiple website with different web app, so I need to be able to make exception based on the URL. For now, I have to lower the WAF security rule to the lowest denominator.
-
Ed Gillett
commented
Yes - we really need more granular exclusions! Currently to address an issues on a single page, we have to disable an entire rule for the whole app :(
-
Nicholas Leader
commented
Similar to these 2 items, I would like the ability to whitelist URLs / domains / IPs from WAF rule checks:
https://feedback.azure.com/forums/169397-cdn/suggestions/18306811-custom-rules-for-waf
