Azure Application Gateway wasp rule issue : 941120
Since we have observed the exlusion rule in Application Gateway WAF is not working. For one of the azure ad cookies that are being generated randomly creating 403 issue on gateway and blocking the request. So cookie will be like 'OpenIdConnect.nonce' which need to excluded but its not working since name got concatenated with the value of the cookie. Please have a review on this since this seems bug on the wasp rule
For Ex. REQUESTCOOKIESNAMES:OpenIdConnect.nonce.XcAqQkCKX3DproXEwEN5OnpgG3E2wFYTzxvyttvCLZo%3D ....
Bohdan Dnistrian commented
This issue triggers many rules, ticket duplicates https://feedback.azure.com/forums/217313-networking/suggestions/36260122-web-application-firewall-cookie-exclusions-only-ex
Fink, Michael commented
I have a similar problem and was wondering if anyone found a solution. We've tried adding a WAF rule where the request cookie contains OpenIdConnect.nonce; however, it doesn't seem to address this.