Azure Application Gateway WAF Mode Increase Limit on SecRequestBodyLimit
When we have the WAF set to prevention mode some of our HTTP post are denied with code 413.
Request body no files data length is larger than the configured limit (131072).. Deny with code (413)
Can you make these two settings configurable on the WAF?
Thanks for your feedback. This is planned as part of global waf configurable parameters.
This is a showstopper for us too. Our client app may post a sizable request to a SOAP web service (not a file upload). The request size may grow up to tens of Megabytes. We could disable the rule check for a particular path using a WAF Policy custom rule - alas, the request size check is a global mandatory rule that can only be disabled along with the "entire firewall".
The protection from the OWASP Top 10 vulnerabilities is the main reason why we have implemented the Application Gateway with our ERP Suite. Now, we cannot enable the protection.
It's understood why Microsoft is "limiting the request size configurable limit" to a relatively small value of 128kb - performance concerns. OK, please let us completely exclude a particular path from the WAF processing - so the request size check was also disabled.
Thank you for your attention to this issue!
Sujesh Arukil commented
why a max of 128 kb in the first place? if nothing else, it could be at least 1 MB
Increase message body limit beyond 128kb
Timothy Lee Russell commented
Thanks for letting us know that there is a fix in the works.
Any update on when we might expect the fix to this blocking issue? (Pun intended, I suppose.)
Jeremy Burke commented
We also had to disable WAF until these parameters are released.
Tomasz S commented
Could you let us know when this will be added? because of that limit we had to disable WAF
Is this now implemented? Because the status is still planned I would also like to see that the message body could be bigger then 128KB
We desperately need to be able to configure the limit of the message body to be bigger than 128KB (131072). We run off-the-shelf software that cannot be changed to respect this limit. One exaplle is DotNetNuke/Evoq, where the Admin interface use a lot of XHR requests which break the size limit.
As far as I understand, this is now implemented, but the maximum limit is 128KB. This is still to low for some applications. We have COTS software that generetes POST request with large _VIEWSTATE that gets blocked with 413 ModSecurity Action. Please raise the max value.
Could you give us an update on when this will be available (weeks, months, years)? And, maybe an update on the 20 Listener limit?
The size of the 128 kb is ridiculously small. Due to this our entire move to the cloud for an active/paying customer has been on halt. In the meanwhile, if Microsoft support members can simply help the existing Azure customers by updating these parameter value in our WAF instance (within our subscription) then atleast we could go live and continue moving to Azure.
Jonathan Gonzalez commented
At least, while implementing the parameterization of this rule, they should be able to be deactivated so that at least it would allow us to use the rest of the firewall rules.
Gesintur Innovación y Gestión SL commented
100% agreement, we use .net Webforms and due to the size of the viewstate we cannot activate the WAF, which was the reason we implemented the Gateway.
Without being able to disable or configure this rule we can not use the WAF
Agree makes the WAF useless.