Custom rules for WAF
Allow user created rules for WAF.
Any update on this?
Nick Sharratt commented
Along the same lines - the ability to customise which rules/exceptions applied based on URL. e.g. to exclude checking specific cookies for URL1 while still checking any cookie with the same name for URL2, 3 etc.
(while exposing the raw rules would allow someone to impliment this, that would involve significant manual intervention and expertise with creating custom rules - however, provding an interface that provides for 'rule policies' to be defined which are then stored outside of a specific AGW/WAF and then a mechansim to apply them based on the HTTP listener on a specific listener/WAF would go a long way to address the additional flexibility needed in our use case, while keeping the overhead of managing multiple WAFs across multiple different web applications, reasonable.
Also related - being able to 'publish' and share such policies for COTS web applications so that users of the same application could benefit from the community knowledge and experience of configuring the rules to avoid false positives/breaking the application, and even allow the COTS vendors to contribute, would help even further)
Klotz Peter (BCI/ESW21) commented
The underlying Nginx with modsecurity does allow to not only disable rules (by ID or tag) but also update rules and define exceptions or even add new custom rules.
IMHO The WAF of Azure Application GW simply needs to expose these via Portal, Powershell and az CLI.
Otherwise the only option is to disable rules that produce false positives, which is not an optimal solution security-wise.
Allow the ability to inspect specified fields in header and block all and have specified list of exceptions. Ex: range of IPfor for forwarded-client-ip.
Need more granularity and ability to create advanced rule sets for WAF
Nicholas Leader commented
Similar to these 2 items, I would like the ability to whitelist URLs / domains / IPs from WAF rule checks: