Ability to skip specific rules in Font Door WAF without skipping all rules
There are a number of managed rules that trigger false-positives in Front Door's Web Application Firewall. For example, Google will attach a "gclid" URL parameter onto links for tracking, however, due to the randomness of this value, it can trigger the SQLI 942450 rule.
The only options to prevent this from affecting customer are either:
a) Remove the rule altogether, thereby reducing overall security across your backend hosts.
or, b) Add in a custom rule to skip ALL rules when the "gclid" parameter is set (ie. Allow traffic). This is perhaps even worse than option (b), since you've effectively removed the WAF protection in its entirety on those URLs.
I believe this can be remedied by offering an additional condition in the Custom Rules, allowing specific managed rules to be ignored/skipped on the parameter in question. ie. I can ignore the SQLI 942450 rule for all "gclid" URL parameter values, but all other managed rules will still be checked against the "gclid" field.
This allows fine tuning of false-positives without forsaking the protection of the WAF.
Chris Butler commented
This also applies to WAF Policies used for Application Gateway as well, and is extremely poor, insecure and violates the fundamental Information Security Principal of Least Privilege (whoever did the technical design on this obviously never sat a CompSci or InfoSec paper in their life).
HOWEVER I have reliable (as it gets from MS) information that we should expect to see some improvements in this area come to preview within H1 2020.