Currently Front Door supports a RuleType RateLimitRule - https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-rate-limit-powershell. Add this same rule to the AppGateway custom WAF rules - https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview

WAF - please remove the post data limit (128 KB) and File size limit (100 MB) - Why should I be restricted?

We should have the visibility/Dashboard to see what all rules are being triggred from the owasp 3.0

Currently if my website goes slow and application team reports that its slow because of waf we dont know what rules are being triggered.

We raise a ticket to Microsoft backed and then they will provide the set of rules to us. This dependency should be remove

When the traffic was blocked by rule ID 200004 of WAF log.Currently, By checking the rule log, I saw the message said ",{"message":"Access denied with code 403 (phase 2). " but the action is matched.

The expectation of this WAF log behavior is blocked, can we modify the action from matched to blocked in WAF log?

Is it possible to adjust the default behaviour in 'prevention' mode?
We would like to answer the AppGw with a 404 instead of 403 to make any further attack attempts less likely.

Please increase the block duration when configuration WAF Custom rule (ratelimit). Basically, we want to configure a WAF rules in 4 parameters per below but we cannot set the value for 1.
• Block the IP for 1)90 minutes if the IP sends HTTP request to 2) URL x for more than 3)100 times in 4) 5 minutes.

So far the block period is default to RateLimitDurationInMinutes and gets reset when the new cycle begins. There is no way we can configure the block period.

Enable Bot rules in prevention mode independent of OWASP rules status.
There should not be state dependency of other rule set on Bot Rules.

Please give me the ability to add annotations to an IP address or range in WAF Policy custom rules. When adding an address, the ability to add a label such as 'Company HQ' or 'MD Home IP' would be great.

Allow first time offending IP addresses to be temporarily blocked, then automatically unblocked if no additional offences are registered from the said address.

When the traffic was blocked by rule ID 200004 of WAF log.Currently, By checking the rule log, I saw the message said ",{"message":"Access denied with code 403 (phase 2). " but the action is matched.

The expectation of this WAF log behavior is blocked, can we modify the action from matched to blocked in WAF log?

When manage WAF policy on regional WAF, we cannot change the action of some rules like global WAF policy.
User can either enable or disable the rules, but unable to choose log traffic for some particular rules.