You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/application-gateway/application-gateway-waf-configuration.md
+17-8Lines changed: 17 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ services: application-gateway
5
5
author: vhorne
6
6
ms.service: application-gateway
7
7
ms.workload: infrastructure-services
8
-
ms.date: 10/25/2018
8
+
ms.date: 11/6/2018
9
9
ms.author: victorh
10
10
11
11
---
@@ -26,25 +26,34 @@ Web Application Firewall allows users to configure request size limits within lo
26
26
- The maximum request body size field is specified in KBs and controls overall request size limit excluding any file uploads. This field can range from 1-KB minimum to 128-KB maximum value. The default value for request body size is 128 KB.
27
27
- The file upload limit field is specified in MB and it governs the maximum allowed file upload size. This field can have a minimum value of 1 MB and a maximum of 500 MB. The default value for file upload limit is 100 MB.
28
28
29
-
WAF also offers a configurable knob to turn the request body inspection on or off. By default, the request body inspection is enabled. If the request body inspection is turned off, WAF does not evaluate the contents of HTTP message body. In such cases, WAF continues to enforce WAF rules on headers, cookies, and URI. If the request body inspection is turned off, then maximum request body size field isn't applicable and can't be set. Turning off the request body inspection allows for messages larger than 128 KB to be sent to WAF. However, the message body isn't inspected for vulnerabilities.
29
+
WAF also offers a configurable knob to turn the request body inspection on or off. By default, the request body inspection is enabled. If the request body inspection is turned off, WAF does not evaluate the contents of HTTP message body. In such cases, WAF continues to enforce WAF rules on headers, cookies, and URI. If the request body inspection is turned off, then maximum request body size field isn't applicable and can't be set. Turning off the request body inspection allows for messages larger than 128 KB to be sent to WAF, but the message body isn't inspected for vulnerabilities.
WAF exclusion lists allow users to omit certain request attributes from a WAF evaluation. A common example is Active Directory inserted tokens that are used for authentication or password fields. Such attributes are prone to contain special characters that may trigger a false positive from the WAF rules. Once an attribute is added to the WAF exclusion list, it isn't taken into consideration by any configured and active WAF rule. Exclusion lists are global in scope.
36
-
You can add request headers, request body, request cookies, or request query string arguments to WAF exclusion lists. If the body has form data or XML/JSON (key value pairs) then request attribute exclusion type can be used.
36
+
37
+
The following attributes can be added to exclusion lists:
38
+
39
+
* Request Headers
40
+
* Request Cookies
41
+
* Request Body
42
+
43
+
* Form multi-part data
44
+
* XML
45
+
* JSON
37
46
38
47
You can specify an exact request header, body, cookie, or query string attribute match, or, can optionally specify partial matches.
39
48
40
49
The following are the supported match criteria operators:
41
50
42
-
-**Equals**: This operator is used for an exact match. As an example, for selecting header named **bearerToken** use equals operator with selector set as **bearerToken**.
43
-
-**Starts with**: This operator matches all fields that start with specified selector value.
44
-
-**Ends with**: This operator matches all request fields that end with specified selector value.
45
-
-**Contains**: This operator matches all request fields that contain specified selector value.
51
+
-**Equals**: This operator is used for an exact match. As an example, for selecting a header named **bearerToken**, use the equals operator with the selector set as **bearerToken**.
52
+
-**Starts with**: This operator matches all fields that start with the specified selector value.
53
+
-**Ends with**: This operator matches all request fields that end with the specified selector value.
54
+
-**Contains**: This operator matches all request fields that contain the specified selector value.
46
55
47
-
In all cases matching is case insensitive and regular expression are not allowed as selectors.
56
+
In all cases matching is case insensitive and regular expression aren't allowed as selectors.
0 commit comments