I suggest you ...

Highlight Application Gateway WAF rules in different risk levels

IMHO, Azure should provide some guidelines on WAF rule configurations.
At least highlight the most important rules which we must turn on, so we can feel a bit safe when we have to turn off some non-important rules.
For example:
Rule 1,2,3 -- High risk; must turn on; when violated, do #a/b/c on your app to get compliant;
Ruel 4,5,6 – Medium risk; recommend to turn on, do #e/f/g app to get compliant;
Rule 7,8,9 – low risk; can be turned off.

P.S. It is kind of heavy for us to study all the rules https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0/master/rules;

4 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Samuel Li shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Glen Little commented  ·   ·  Flag as inappropriate

        Also, rules that are flagged with a severity of "WARNING" in the specs are being completely blocked by the WAF.

      Feedback and Knowledge Base