More useful examples of Exclusions

[christianrondeau]

Reading this page, I still have no idea how exclusions work. What is a "request attribute"? Is it a header? And what does it exclude? The header, or the whole request?

More specifically, I'd like to know:

• Can we ignore specific query string parameters by name?
• Can we ignore specific header values by name? The documentation makes it
• Can we ignore the body of a request by hostname?

The examples using "abc" aren't helping to answer those questions. Also, having at least a few clues on how this should work in GitHub while the documentation is being written would be greatly helpful in the meantime.

Note that most of this have been asked in #19424 after it was closed, and was not resolved.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: c0c27cd7-15fd-7358-9740-734cfa6b641f
• Version Independent ID: 9cbc5678-98e1-3c21-df0a-81d8b7e21241
• Content: Web application firewall request size limits and exclusion lists in Azure Application Gateway - Azure portal
• Content Source: articles/application-gateway/application-gateway-waf-configuration.md
• Service: application-gateway
• GitHub Login: @vhorne
• Microsoft Alias: victorh

[christianrondeau]

Also more specifically about this part:

• Request Headers

• Request Cookies

• Request Body

  • Form multi-part data
  • XML
  • JSON

I have no idea what this refers to; is this the list of strings I can enter in the "Request attribute" field? If so, how does "Request Body" differs from "XML", since it will do a string comparison anyway?

[TravisCragg-MSFT]

@christianrondeau Thanks for the feedback! I have assigned the issue to the content author to evaluate and update as appropriate.

[oaas]

Regarding to this page, I have a lot of concerns.

1. As per: https://docs.microsoft.com/en-us/powershell/module/az.network/new-azapplicationgatewayfirewallexclusionconfig?view=azps-1.6.0. MatchVariable is not supported by "New-AzApplicationGatewayFirewallExclusionConfig". I suppose you have to update this command.

2. In example: $exclusion1 = New-AzApplicationGatewayFirewallExclusionConfig -MatchVariable "RequestHeaderNames" -SelectorMatchOperator "StartsWith" -Selector "xyz". What does that mean? Is it the request header name contains "xyz" and then is whitelisted or something else?

3. The second example: $exclusion2 = New-AzApplicationGatewayFirewallExclusionConfig -MatchVariable "RequestArgNames" -SelectorMatchOperator "Equals" -Selector "a". Does this match a) or b) or both? a) https://xx.xx.com/search?category=Category&a=hello b) https://xx.xx.com/search?a=hello

4. I would like to suggest to add more scenarios, with request contents, and how to whitelist via WAF exclusion. For example: If customer wants to whitelist https://xx.xx.com/search?a=hello, we can configure $exclusion2 = New-AzApplicationGatewayFirewallExclusionConfig -Variable "RequestArgNames" -SelectorMatchOperator "Equals" -Selector "a".

Thanks a lot!

[Masahigo]

I couldn't agree more with @christianrondeau and @oaas.

Based on this documentation I have no idea whatsoever how to accomplish a simple exclusion for specific request urls. I hope MS provides more thorough examples asap.

[koraven]

I had the same troubles with docs and wrote to support. I asked to show me some examples based on headers. Case: WAF blocks request because User-Agent is 'Arachni'. I want to pass these requests.

Exclusions talk about only parameter NAMES, not parameter contents, so you can’t only exclude “Arachni” from blocking, but you can just exclude “User-Agent” header, and the whole User-agent header will not be evaluated. The same for request attribute.

Example: curl -v -A "Arachni/v1.5.1" "http://--.northeurope.cloudapp.azure.com/" HTTP/1.1 403 ModSecurity Action

rule exclusions: Request header name --> Equals --> User-Agent curl -v -A "Arachni/v1.5.1" "http://--.northeurope.cloudapp.azure.com/" HTTP/1.1 200 OK

rule exclusions: (this is how it does not work, because exclusion contains not only username, but also contents of the header) Request header name --> Contains --> User-Agent: A curl -v -A "Arachni/v1.5.1" "http://--.northeurope.cloudapp.azure.com/" HTTP/1.1 403 ModSecurity Action

request attribute name -> equals -> q

curl -v "http://--.northeurope.cloudapp.azure.com/?q='>"
> GET /?q='><script>alert(1)</script> HTTP/1.1
> User-Agent: curl/7.55.1
< HTTP/1.1 200 OK

request attribute name -> equals -> q (excluding q, but requesting b)

curl -v "http://--.northeurope.cloudapp.azure.com/?b='><script>alert(1)</script>"
> GET /?b='><script>alert(1)</script> HTTP/1.1
> User-Agent: curl/7.55.1
< HTTP/1.1 403 ModSecurity Action

[Masahigo]

@koraven Thanks for sharing! So the exclusion lists are basically for white listing http header fields and request params with no extra control over the content.. Sounds to me like it's better idea to disable individual WAF rules than to allow too loose control over those.

[koraven]

I don't agree that disabling rules is better. WAF just doesn't analyze header/param you specified. The rest of request will be analyzed. There is good case in documentation

A common example is Active Directory inserted tokens that are used for authentication or password fields. Such attributes are prone to contain special characters that may trigger a false positive from the WAF rules.

So you just ignore these tokens. Or for example you have GET parameter which triggers WAF. You can just add it to exclusions. If you disable a rule it will be applied to whole request. Exclusions work for header/parameter only.

[Masahigo]

Well, here is one example I tried.

Application is making requests to following kind of url:

/WebResource.axd?d=x2nkrMJGXkMELz33nwnakBtj8_wwSb6SD2q3v6EXOnEehzSF5WulAH5VQWl1XV_235TYl9te0oW9jcos8nz_Yp1qxLQWEO3cE0E8Lo1q_R41&t=636849238732623132

Added exclusion rules for the params:

$exclusion1 = New-AzApplicationGatewayFirewallExclusionConfig -Variable "RequestArgNames" -Operator "Equals" -Selector "d" $exclusion2 = New-AzApplicationGatewayFirewallExclusionConfig -Variable "RequestArgNames" -Operator "Equals" -Selector "t"

$firewallConfig = New-AzApplicationGatewayWebApplicationFirewallConfiguration -Enabled $true -FirewallMode Prevention -Exclusion $exclusion1,$exclusion2

When trying to query the url:

GET https://beta.terveystalo.com/WebResource.axd?d=pynGkmcFUV13He1Qd6_TZJVzvP4rOWcZXejkHC3Oax6SCfEC3VvVelGSFWOLeefVRqVC-rB88uVxAfiW1ZdD2A2&t=636849238732623132 net::ERR_ABORTED 403 (ModSecurity Action)

-->

ruleId_s
920440

Message URL file extension is restricted by policy

Excluding the params does not help in this case - there's a WAF policy that restricts specific file extensions.

Another case I'd need to tackle would be to exclude a specific url path, doesn't seem possible.

[DeepMalh44]

Hi All, We have implemented WAF and getting some false postives for one of the web applications we have and hence in prevention mode 403 (log screenshot below). Can someone help with how I can get rid of these false positives so that we can get the web-application to work with WAF Prevention mode enabled . These are all valid URLs and not really any injection attacks

[vhorne]

Additional info has been added: https://docs.microsoft.com/azure/application-gateway/application-gateway-waf-configuration https://docs.microsoft.com/azure/application-gateway/custom-waf-rules-overview https://docs.microsoft.com/azure/application-gateway/create-custom-waf-rules https://docs.microsoft.com/azure/application-gateway/configure-waf-custom-rules

[vhorne]

please-close

[DeepMalh44]

The documentation doesnt say that this is applicable only to V2 App Gateways and will not work with V1 App Gateways. Please point me where it has been updated to mention it. @vhorne

[asanka-indrajith]

@ketaanhshah Did you find a way?

[Jeremyp87]

Is there any progress on this?

[durayakar]

Is the short answer "You cannot create Azure WAF exclusions based on URL of the request?

This is a basic and fundamental feature. A quick web search will reveal that "rule exclusion based on URL's" feature is available for Palo Alto, Cisco, Fortinet, Sophos and SonicWall firewalls since the beginning of time - not only in next-gen.

[durayakar]

@koraven Thanks for sharing! So the exclusion lists are basically for white listing http header fields and request params with no extra control over the content.. Sounds to me like it's better idea to disable individual WAF rules than to allow too loose control over those.

This is NOT a better idea. Just because I identified that one request parameter on one page is generating a false positive for SQL injection on my application, shall I disable the entire rule? Or shalI I exclude that parameter for any URL? Sorry, but neither option sounds like a good idea. URL based exceptions existed since the beginning of time for all layer 7 firewalls but Azure WAF.

[sanderrhorst]

Regarding to this discussion:

I am searching for a solution to exlude certain requests based on the request body which is JSON. What we do is uploading a list of jailbreak rules to the application which is behind the Azure WAF. I have added a screenshot of the logs below where you can see why the requests are being blocked.

Is it possible to exclude the WAF from checking based on the body of the request? And if so, where can I find an example for this?

PS: I don't want to simply create an exlusion rule that excludes the WAF on /upload for example. I think that this would be unsafe.

@durayakar, could you take a look maybe to my question?

[Az-dev-9]

Hello,

I am going through this thread and I am getting desperate.. What is the final verdict?

Can we make specific exclusions based on URL match or not?

[chaoscreater]

Hello,

I am going through this thread and I am getting desperate.. What is the final verdict?

Can we make specific exclusions based on URL match or not?

Need to know this as well. At the moment, you can exclude URL for custom rules, but you can't do this for exclusion rules.

[arrayofletters]

This is pretty poorly featured product.