Currently Front Door supports a RuleType RateLimitRule - https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-rate-limit-powershell. Add this same rule to the AppGateway custom WAF rules - https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview

WAF - please remove the post data limit (128 KB) and File size limit (100 MB) - Why should I be restricted?

We should have the visibility/Dashboard to see what all rules are being triggred from the owasp 3.0

Currently if my website goes slow and application team reports that its slow because of waf we dont know what rules are being triggered.

We raise a ticket to Microsoft backed and then they will provide the set of rules to us. This dependency should be remove

Is it possible to adjust the default behaviour in 'prevention' mode?
We would like to answer the AppGw with a 404 instead of 403 to make any further attack attempts less likely.

Please give me the ability to add annotations to an IP address or range in WAF Policy custom rules. When adding an address, the ability to add a label such as 'Company HQ' or 'MD Home IP' would be great.

Please increase the block duration when configuration WAF Custom rule (ratelimit). Basically, we want to configure a WAF rules in 4 parameters per below but we cannot set the value for 1.
• Block the IP for 1)90 minutes if the IP sends HTTP request to 2) URL x for more than 3)100 times in 4) 5 minutes.

So far the block period is default to RateLimitDurationInMinutes and gets reset when the new cycle begins. There is no way we can configure the block period.

Enable Bot rules in prevention mode independent of OWASP rules status.
There should not be state dependency of other rule set on Bot Rules.