|
| 1 | +--- |
| 2 | +title: Configure a custom response page for Azure Web Application Firewall |
| 3 | +description: This article provides information on how to configure a custom response page for Azure Web Application Firewall. |
| 4 | +services: web-application-firewall |
| 5 | +ms.topic: article |
| 6 | +author: duongau |
| 7 | +ms.service: web-application-firewall |
| 8 | +ms.date: 02/26/2024 |
| 9 | +ms.author: duau |
| 10 | +--- |
| 11 | + |
| 12 | +# Configure a custom response page for Azure Web Application Firewall |
| 13 | + |
| 14 | +This article describes how to configure a custom response page when Azure Web Application Firewall (WAF) blocks a request. |
| 15 | + |
| 16 | +By default, when WAF blocks a request, it returns a *403 Forbidden* response with the message *The request is blocked*. The default message includes the tracking reference string that is used to link to [log entries](application-gateway-waf-metrics.md). You can configure a custom response status code and message with a reference string for your use case. |
| 17 | + |
| 18 | +## Configure custom responses |
| 19 | + |
| 20 | +You can configure custom responses for WAF by using the Azure portal, PowerShell, or the Azure CLI. |
| 21 | + |
| 22 | +#### [Portal](#tab/browser) |
| 23 | + |
| 24 | +## Create a new WAF policy with a custom response |
| 25 | + |
| 26 | +1. In the Azure portal, select **+ Create a resource**, and search for and select **Web Application Firewall (WAF)**. Then select **Create**. |
| 27 | + |
| 28 | +1. On the **Basic** tab, enter or select the following information and then select **Policy settings** tab: |
| 29 | + - **Policy for**: Select **Regional WAF (Application Gateway)**. |
| 30 | + - **Subscription**: Select the subscription for the WAF. |
| 31 | + - **Resource group**: Select the resource group for the WAF. |
| 32 | + - **Policy name**: Enter a name for the WAF policy. |
| 33 | + - **Policy state**: Select the checkbox to enable the policy. |
| 34 | + - *Policy mode*: Select **Prevention** or **Detection**. |
| 35 | + |
| 36 | +1. On the **Policy settings** page, you can configure the block response status code and message. |
| 37 | + |
| 38 | + :::image type="content" source="../media/custom-response-code/policy-settings.png" alt-text="Screenshot of the custom response code settings under the policy settings tab during creation."::: |
| 39 | + |
| 40 | + - **Block response status code**: Enter the status code for the block response. The default is *403*. |
| 41 | + - **Block response body**: Enter the message for the block response. |
| 42 | + |
| 43 | +1. Complete the rest of the settings and then select **Review + create**. Review the settings and then select **Create**. |
| 44 | + |
| 45 | +## Configure existing WAF policy with a custom response |
| 46 | + |
| 47 | +1. Navigate to the WAF policy that you want to update. |
| 48 | + |
| 49 | +1. Expand the *Settings* section and then select **Policy settings**. |
| 50 | + |
| 51 | +1. On the **Policy settings** page, you can configure the block response status code and message. |
| 52 | + |
| 53 | + :::image type="content" source="../media/custom-response-code/update-policy-settings.png" alt-text="Screenshot of updating the custom response code settings under the policy settings tab."::: |
| 54 | + |
| 55 | + - **Block response status code**: Enter the status code for the block response. The default is *403*. |
| 56 | + - **Block response body**: Enter the message for the block response. |
| 57 | + |
| 58 | +#### [PowerShell](#tab/powershell) |
| 59 | + |
| 60 | +## Create a new WAF policy with a custom response |
| 61 | + |
| 62 | +1. Use the [New-AzApplicationGatewayFirewallPolicySettings](/powershell/module/az.network/new-azapplicationgatewayfirewallpolicysetting) to create the policy settings for the WAF policy. |
| 63 | + |
| 64 | + ```azurepowershell-interactive |
| 65 | + $policySettings = New-AzApplicationGatewayFirewallPolicySetting ` |
| 66 | + -Mode Prevention ` |
| 67 | + -State Enabled ` |
| 68 | + -CustomBlockResponseStatusCode 405 ` |
| 69 | + -CustomBlockResponseBody "Unauthorized access. The request is blocked." |
| 70 | + ``` |
| 71 | +
|
| 72 | +1. Use the [New-AzApplicationGatewayFirewallPolicy](/powershell/module/az.network/new-azapplicationgatewayfirewallpolicy) cmdlet to create a new WAF policy with custom response settings. |
| 73 | +
|
| 74 | + ``` azurepowershell-interactive |
| 75 | + New-AzApplicationGatewayFirewallPolicy ` |
| 76 | + -Name myWAFPolicy ` |
| 77 | + -ResourceGroupName myResourceGroup ` |
| 78 | + -Location EastUS ` |
| 79 | + -PolicySetting $policySettings |
| 80 | + ``` |
| 81 | +
|
| 82 | +## Configure existing WAF policy with a custom response |
| 83 | +
|
| 84 | +1. Use the [New-AzApplicationGatewayFirewallPolicySetting](/powershell/module/az.network/new-azapplicationgatewayfirewallpolicysetting) to create the policy settings for the WAF policy. |
| 85 | +
|
| 86 | + ```azurepowershell-interactive |
| 87 | + $policySettings = New-AzApplicationGatewayFirewallPolicySetting ` |
| 88 | + -CustomBlockResponseStatusCode 406 ` |
| 89 | + -CustomBlockResponseBody "Access denied. The request is blocked." |
| 90 | + ``` |
| 91 | +
|
| 92 | +1. Use the [Set-AzApplicationGatewayFirewallPolicy](/powershell/module/az.network/set-azapplicationgatewayfirewallpolicy) cmdlet to update the custom response settings for an existing WAF policy. |
| 93 | +
|
| 94 | +```azurepowershell-interactive |
| 95 | +Set-AzApplicationGatewayFirewallPolicy ` |
| 96 | + -Name myWAFPolicy ` |
| 97 | + -ResourceGroupName myResourceGroup ` |
| 98 | + -PolicySetting $policySettings |
| 99 | +``` |
| 100 | + |
| 101 | +#### [Azure CLI](#tab/azurecli) |
| 102 | + |
| 103 | +## Create a new WAF policy with a custom response |
| 104 | + |
| 105 | +Use the [az network application-gateway waf-policy create](/cli/azure/network/application-gateway/waf-policy) command to create a new WAF policy with custom response settings. The custom body must be **base64** encoded. |
| 106 | + |
| 107 | +```azurecli-interactive |
| 108 | +az network application-gateway waf-policy create \ |
| 109 | + --name myWAFPolicy \ |
| 110 | + --resource-group myResourceGroup \ |
| 111 | + --location eastus \ |
| 112 | + --type OWASP \ |
| 113 | + --version 3.2 \ |
| 114 | + --policy-settings custom-status-code=405 custom-body=VW5hdXRob3JpemVkIGFjY2Vzcy4gVGhlIHJlcXVlc3QgaXMgYmxvY2tlZC4= state=enabled |
| 115 | +``` |
| 116 | + |
| 117 | +## Configure existing WAF policy with a custom response |
| 118 | + |
| 119 | +Use the [az network application-gateway waf-policy policy-setting update](/cli/azure/network/application-gateway/waf-policy#az-network-application-gateway-waf-policy-update) command to update the custom response settings for an existing WAF policy. The custom body must be **base64** encoded. |
| 120 | + |
| 121 | +```azurecli-interactive |
| 122 | +az network application-gateway waf-policy policy-setting update \ |
| 123 | + --policy-name myWAFPolicy6 \ |
| 124 | + --resource-group AzureResourceGroup \ |
| 125 | + --custom-status-code 406 \ |
| 126 | + --custom-body=QWNjZXNzIGRlbmllZC4gVGhlIHJlcXVlc3QgaXMgYmxvY2tlZC4= |
| 127 | +``` |
| 128 | + |
| 129 | +--- |
| 130 | + |
| 131 | +## Next steps |
| 132 | + |
| 133 | +Learn more about [Azure Web Application Firewall logs](web-application-firewall-logs.md). |
0 commit comments