Vasily

My feedback

  1. 492 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    27 comments  ·  Networking » Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    Vasily supported this idea  · 
    An error occurred while saving the comment
    Vasily commented  · 

    This is a showstopper for us too. Our client app may post a sizable request to a SOAP web service (not a file upload). The request size may grow up to tens of Megabytes. We could disable the rule check for a particular path using a WAF Policy custom rule - alas, the request size check is a global mandatory rule that can only be disabled along with the "entire firewall".
    The protection from the OWASP Top 10 vulnerabilities is the main reason why we have implemented the Application Gateway with our ERP Suite. Now, we cannot enable the protection.
    It's understood why Microsoft is "limiting the request size configurable limit" to a relatively small value of 128kb - performance concerns. OK, please let us completely exclude a particular path from the WAF processing - so the request size check was also disabled.
    Thank you for your attention to this issue!

  2. 214 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    10 comments  ·  Networking » Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    An error occurred while saving the comment
    Vasily commented  · 

    Thank you for your instructions, Chris!
    Unfortunately, the custom rule approach does not work for us: our rule that allows traffic is triggered, but the request fails anyway because the Request Body Size Limit is a mandatory rule that cannot be overridden, AFAIU. There is a case in our web app when a big chunk of data is posted to the server in a "regular" request (not a file upload). We've set up a WAF v2 Policy with a custom rule that Allows traffic for this type of requests, alas, we're getting 413 Request too large error again!
    It's like we've hit the wall! Our WAF has been fully set up and tuned up for our web app, now we can't use it. While it could be possible to re-implement the problem request in our app, it would be very complex a task.
    It would be great if WAF allowed to exclude specific requests from the Inspection completely, including the body size!

    Can anyone suggest a solution or a workaround for the issue?
    Is Microsoft planning to address this issue in any way?
    Is it possible to override or ignore the Request Body Size Limit for certain requests?

    Thank you!

    P. S. What's also strange about the custom rule we've set up, in the firewall log, the action recorded for it is still Blocked! The Message, in the Details, nevertheless spells "Allowed":

    { "resourceId": "/SUBSCRIPTIONS/***/RESOURCEGROUPS/***/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WAFV2", "operationName": "ApplicationGatewayFirewall", "category": "ApplicationGatewayFirewallLog", "properties": {"instanceId":"appgw_3","clientIp":"***","clientPort":"","requestUri":"\/stocksimportdata\/nasdaq.aspx","ruleSetType":"","ruleSetVersion":"","ruleId":"40","message":"Mandatory rule. Cannot be disabled. Custom rule with name: excludeimpdata, priority: 40","action":"Blocked","site":"Global","details":{"message":"Access allowed (phase 2). Pattern match \\\"(importdata\/)\\\" at REQUEST_URI. ","data":"","file":"\\\"\/etc\/nginx\/modsec\/AppGw-CustomRules.txt\\\"","line":"2"},"hostname":"vm000003","transactionId":"AcDcAcAXocAJAcAcAcAcAcAm"}}

    I wonder if the Action value is simply hardcoded in the log generator - ?

Feedback and Knowledge Base