You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/web-application-firewall/ag/web-application-firewall-troubleshoot.md
+20-20Lines changed: 20 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,20 +1,21 @@
1
1
---
2
-
title: Troubleshoot - Azure Web Application Firewall
2
+
title: Troubleshoot
3
+
titleSuffix: Azure Web Application Firewall
3
4
description: This article provides troubleshooting information for Web Application Firewall (WAF) for Azure Application Gateway
4
5
author: halkazwini
5
6
ms.author: halkazwini
6
7
ms.service: azure-web-application-firewall
7
8
ms.topic: concept-article
8
-
ms.date: 03/05/2024
9
+
ms.date: 03/31/2025
9
10
---
10
11
11
12
# Troubleshoot Web Application Firewall (WAF) for Azure Application Gateway
12
13
13
-
There are a few things you can do if requests that should pass through your Web Application Firewall (WAF) are blocked.
14
+
If your Web Application Firewall (WAF) is blocking requests that should be allowed, there are a few steps you can take.
14
15
15
-
First, ensure you’ve read the [WAF overview](ag-overview.md) and the [WAF configuration](application-gateway-waf-configuration.md)documents. Also, make sure you’ve enabled [WAF monitoring](../../application-gateway/application-gateway-diagnostics.md) These articles explain how the WAF functions, how the WAF rule sets work, and how to access WAF logs.
16
+
Start by reviewing the [WAF overview](ag-overview.md) and [WAF configuration](application-gateway-waf-configuration.md)documentation, and ensure [WAF monitoring](../../application-gateway/application-gateway-diagnostics.md)is enabled. These articles explain how the WAF operates, how the rule sets work, and how to access WAF logs.
16
17
17
-
The OWASP rulesets are designed to be strict out of the box, and to be tuned to suit the specific needs of the application or organization using WAF. It's entirely normal, and expected in many cases, to create exclusions, custom rules, and even disable rules that may be causing issues or false positives. Per-site and per-URI policies allow for these changes to only affect specific sites/URIs. So any changes shouldn’t have to affect other sites that may not be running into the same issues.
18
+
The OWASP rule sets are designed to be strict out of the box, and to be tuned to suit the specific needs of the application or organization using WAF. It's entirely normal, and expected in many cases, to create exclusions, custom rules, and even disable rules that may be causing issues or false positives. Per-site and per-URI policies allow for these changes to only affect specific sites/URIs. So changes shouldn’t have to affect other sites that may not be running into the same issues.
18
19
19
20
## Understanding WAF logs
20
21
@@ -133,9 +134,7 @@ The final two log entries show the request was blocked because the anomaly score
133
134
134
135
With this information, and the knowledge that rule 942130 is the one that matched the `1=1` string, you can do a few things to stop this from blocking your traffic:
135
136
136
-
- Use an exclusion list
137
-
138
-
For more information about exclusion lists, see [WAF configuration](application-gateway-waf-configuration.md).
137
+
- Use an exclusion list. For more information about exclusion lists, see [WAF exclusion lists](application-gateway-waf-configuration.md).
139
138
140
139
- Disable the rule.
141
140
@@ -145,13 +144,13 @@ To make an informed decision about handling a false positive, it’s important t
145
144
146
145
One benefit of using an exclusion list is that only a specific part of a request is being disabled. However, this means that a specific exclusion is applicable to all traffic passing through your WAF because it's a global setting. For example, this could lead to an issue if *1=1* is a valid request in the body for a certain app, but not for others. Another benefit is that you can choose between body, headers, and cookies to be excluded if a certain condition is met, as opposed to excluding the whole request.
147
146
148
-
Occasionally, there are cases where specific parameters get passed into the WAF in a manner that may not be intuitive. For example, there's a token that gets passed when authenticating using Microsoft Entra ID. This token, *__RequestVerificationToken*, usually get passed in as a Request Cookie. However, in some cases where cookies are disabled, this token is also passed as a request attribute or `arg`. If this happens, you need to ensure that *__RequestVerificationToken* is added to the exclusion list as a **Request attribute name** as well.
147
+
Occasionally, there are cases where specific parameters get passed into the WAF in a manner that may not be intuitive. For example, there's a token that gets passed when authenticating using Microsoft Entra ID. *__RequestVerificationToken* is usually passed in as a request cookie. However, in some cases where cookies are disabled, this token is also passed as a request attribute or `arg`. If this happens, you need to ensure that *__RequestVerificationToken* is added to the exclusion list as a **Request attribute name** as well.
:::image type="content" source="../media/web-application-firewall-troubleshoot/exclusion-list.png" alt-text="Screenshot that shows the exclusion list.":::
151
150
152
151
In this example, you want to exclude the **Request attribute name** that equals *text1*. This is apparent because you can see the attribute name in the firewall logs: **data: Matched Data: 1=1 found within ARGS:text1: 1=1**. The attribute is **text1**. You can also find this attribute name a few other ways, see [Finding request attribute names](#finding-request-attribute-names).
:::image type="content" source="../media/web-application-firewall-troubleshoot/waf-config.png" alt-text="Screenshot that shows how to configure WAF exclusion lists.":::
155
154
156
155
You can create exclusions for WAF in Application Gateway at different scope levels. For more information, see [Web Application Firewall exclusion lists](application-gateway-waf-configuration.md#exclusion-scopes).
157
156
@@ -169,11 +168,11 @@ With the help of [Fiddler](https://www.telerik.com/fiddler), you inspect individ
169
168
170
169
In this example, you can see that the field where the *1=1* string was entered is called **text1**.
171
170
172
-
:::image type="content" source="../media/web-application-firewall-troubleshoot/fiddler-1.png" alt-text="Screenshot of the Progress Telerik Fiddler Web Debugger. In the Raw tab, 1 = 1 is visible after the name text1." border="false":::
171
+
:::image type="content" source="../media/web-application-firewall-troubleshoot/fiddler-1.png" alt-text="Screenshot of the Progress Telerik Fiddler Web Debugger. In the Raw tab, 1 = 1 is visible after the name text1.":::
173
172
174
173
This is a field you can exclude. To learn more about exclusion lists, See [Web application firewall exclusion lists](application-gateway-waf-configuration.md). You can exclude the evaluation in this case by configuring the following exclusion:
:::image type="content" source="../media/web-application-firewall-troubleshoot/waf-exclusion-02.png" alt-text="Screenshot that shows WAF exclusion.":::
177
176
178
177
You can also examine the firewall logs to get the information to see what you need to add to the exclusion list. To enable logging, see [Back-end health, resource logs, and metrics for Application Gateway](../../application-gateway/application-gateway-diagnostics.md).
179
178
@@ -298,7 +297,7 @@ Fiddler is a useful tool once again to find request header names. In the followi
298
297
299
298
Another way to view request and response headers is to look inside the developer tools of Chrome. You can press F12 or right-click -> **Inspect** -> **Developer Tools**, and select the **Network** tab. Load a web page, and select the request you want to inspect.
:::image type="content" source="../media/web-application-firewall-troubleshoot/chrome-f12.png" alt-text="Screenshot that shows the result of clicking F12 in a Chrome browser.":::
302
301
303
302
## Finding request cookie names
304
303
@@ -314,9 +313,9 @@ If the request contains cookies, the **Cookies** tab can be selected to view the
314
313
315
314
- Disable maximum request body limit
316
315
317
-
By disabling max request body limit, large request bodies can be processed by the WAF without being rejected for being too large. This may be useful if you regularly have large requests.
316
+
By disabling max request body limit, WAF can process large request bodies without rejecting them for exceeding the size limit. This setting is useful if you regularly have large requests.
318
317
319
-
When you disable this option, the request body will only be inspected up to the max request body inspection limit. If there is malicious content in the request beyond the max request body inspection limit the WAF will not detect it.
318
+
When you disable this option, the request body will only be inspected up to the max request body inspection limit. If there's malicious content in the request beyond the max request body inspection limit the WAF won't detect it.
320
319
321
320
- Disable maximum file size limits
322
321
@@ -326,9 +325,9 @@ If the request contains cookies, the **Cookies** tab can be selected to view the
326
325
> If you know that your app will never need any file upload above a given size, you can restrict that by setting a limit.
327
326
328
327
> [!WARNING]
329
-
> When assigning a new managed ruleset to a WAF policy, all the previous customizations from the existing managed rulesets such as rule state, rule actions and rule level exclusions will be reset to the new managed ruleset's defaults. However, any custom rules, policy settings, and global exclusions will remain unaffected during the new ruleset assignment.
328
+
> When assigning a new managed ruleset to a WAF policy, all the previous customizations from the existing managed rulesets such as rule state, rule actions, and rule level exclusions will be reset to the new managed ruleset's defaults. However, any custom rules, policy settings, and global exclusions will remain unaffected during the new ruleset assignment.
330
329
331
-
## Firewall Metrics (WAF_v1 only)
330
+
## Firewall Metrics (WAF v1 only)
332
331
333
332
For v1 Web Application Firewalls, the following metrics are now available in the portal:
334
333
@@ -341,6 +340,7 @@ For v1 Web Application Firewalls, the following metrics are now available in the
341
340
342
341
To enable metrics, select the **Metrics** tab in the portal, and select one of the three metrics.
343
342
344
-
## Next steps
343
+
## Next step
345
344
346
-
See [How to configure web application firewall on Application Gateway](tutorial-restrict-web-traffic-powershell.md).
345
+
> [!div class="nextstepaction"]
346
+
> [Configure Web Application Firewall on Application Gateway](tutorial-restrict-web-traffic-powershell.md)
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments