You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/web-application-firewall/ag/application-gateway-waf-request-size-limits.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,7 +22,7 @@ Web Application Firewall allows you to configure request size limits within a lo
22
22
23
23
The request body size field and the file upload size limit are both configurable within the Web Application Firewall. The maximum request body size field is specified in kilobytes and controls overall request size limit excluding any file uploads. The file upload limit field is specified in megabytes and it governs the maximum allowed file upload size. For the request size limits and file upload size limit, see [Application Gateway limits](../../azure-resource-manager/management/azure-subscription-service-limits.md#application-gateway-limits).
24
24
25
-
For Application Gateway v2 Web Application Firewalls running Core Rule Set 3.2, or newer, the maximum request body size enforcement and max file upload size enforcement can be disabled and the Web Application Firewall will no longer reject a request, or file upload, for being too large. When maximum request body size enforcement and max file upload size enforcement are disabled within the Web Application Firewall the maximum size allowable is determined by Application Gateway's limits. For more information, see [Application Gateway limits](../../azure-resource-manager/management/azure-subscription-service-limits.md#application-gateway-limits).
25
+
For Application Gateway v2 Web Application Firewalls running Core Rule Set 3.2, or newer, the maximum request body size enforcement and max file upload size enforcement can be disabled and the Web Application Firewall will no longer reject a request, or file upload, for being too large. When maximum request body size enforcement and max file upload size enforcement are disabled within the Web Application Firewall, Application Gateway's limits determine the maximum size allowable. For more information, see [Application Gateway limits](../../azure-resource-manager/management/azure-subscription-service-limits.md#application-gateway-limits).
26
26
27
27
Only requests with Content-Type of *multipart/form-data* are considered for file uploads. For content to be considered as a file upload, it has to be a part of a multipart form with a *filename* header. For all other content types, the request body size limit applies.
28
28
@@ -35,19 +35,19 @@ Only requests with Content-Type of *multipart/form-data* are considered for file
35
35
36
36
## Request body inspection
37
37
38
-
Web Application Firewall offers a configuration setting to enable or disable the request body inspection. By default, the request body inspection is enabled. If the request body inspection is disabled, Web Application Firewall doesn't evaluate the contents of an HTTP message's body. In such cases, Web Application Firewall continues to enforce Web Application Firewall rules on headers, cookies, and URI. In Web Application Firewalls running Core Rule Set 3.1 (or lower) if the request body inspection is turned off, then maximum request body size field isn't applicable and can't be set.
38
+
Web Application Firewall offers a configuration setting to enable or disable the request body inspection. By default, the request body inspection is enabled. If the request body inspection is disabled, Web Application Firewall doesn't evaluate the contents of an HTTP message's body. In such cases, Web Application Firewall continues to enforce Web Application Firewall rules on headers, cookies, and URI. In Web Application Firewalls running Core Rule Set 3.1 (or lower), if the request body inspection is turned off, then maximum request body size field isn't applicable and can't be set.
39
39
40
-
For Policy Web Application Firewalls running Core Rule Set 3.2 (or newer) request body inspection can be enabled/disabled independently of request body size enforcement and file upload size limits. Additionally, policy Web Application Firewalls running Core Rule Set 3.2 (or newer) can set the maximum request body inspection limit independently of the maximum request body size. The maximum request body inspection limit tells the Web Application Firewall how deep into a request it should inspect and apply rules; setting a lower value for this field can improve Web Application Firewall performance but may allow for uninspected malicious content to pass through your Web Application Firewall.
40
+
For Policy Web Application Firewalls running Core Rule Set 3.2 (or newer), request body inspection can be enabled/disabled independently of request body size enforcement and file upload size limits. Additionally, policy Web Application Firewalls running Core Rule Set 3.2 (or newer) can set the maximum request body inspection limit independently of the maximum request body size. The maximum request body inspection limit tells the Web Application Firewall how deep into a request it should inspect and apply rules; setting a lower value for this field can improve Web Application Firewall performance but may allow for uninspected malicious content to pass through your Web Application Firewall.
41
41
42
-
For older Web Application Firewalls running Core Rule Set 3.1 (or lower) turning off the request body inspection allows for messages larger than 128 KB to be sent to Web Application Firewall, but the message body isn't inspected for vulnerabilities. For Policy Web Application Firewalls running Core Rule Set 3.2 (or newer) you can achieve the same outcome by disabling maximum request body limit.
42
+
For older Web Application Firewalls running Core Rule Set 3.1 (or lower), turning off the request body inspection allows for messages larger than 128 KB to be sent to Web Application Firewall, but the message body isn't inspected for vulnerabilities. For Policy Web Application Firewalls running Core Rule Set 3.2 (or newer), you can achieve the same outcome by disabling maximum request body limit.
43
43
44
44
When your Web Application Firewall receives a request that's over the size limit, the behavior depends on the mode of your Web Application Firewall and the version of the managed ruleset you use.
45
45
- When your Web Application Firewall policy is in prevention mode, Web Application Firewall logs and blocks requests and file uploads that are over the size limits.
46
46
- When your Web Application Firewall policy is in detection mode, Web Application Firewall inspects the body up to the limit specified and ignores the rest. If the `Content-Length` header is present and is greater than the file upload limit, Web Application Firewall ignores the entire body and logs the request.
47
47
48
48
## Trouble Shooting
49
49
50
-
If you are an Application Gateway v2 Web Application Firewall customer running Core Rule Set 3.2 or later and you have issues with requests, or file uploads, getting rejected incorrectly for maximum size, or if you see requests not getting inspected fully, you may need to verify that all values are set correctly. You can do this by using PowerShell or the Azure Command Line Interface to verify what each value is set to, and update any values as needed.
50
+
If you are an Application Gateway v2 Web Application Firewall customer running Core Rule Set 3.2 or later and you have issues with requests, or file uploads, getting rejected incorrectly for maximum size, or if you see requests not getting inspected fully, you may need to verify that all values are set correctly. Using PowerShell or the Azure Command Line Interface you can verify what each value is set to, and update any values as needed.
0 commit comments