Merge pull request #191031 from johndowns/waf-appgw-limits

Application Gateway WAF - Split limits into its own doc

Author: v-regandowner

articles/web-application-firewall/ag/application-gateway-waf-configuration.md

@@ -1,29 +1,31 @@
 ---
-title: Web application firewall request size limits and exclusion lists in Azure Application Gateway - Azure portal
-description: This article provides information on Web Application Firewall request size limits and exclusion lists configuration in Application Gateway with the Azure portal.
+title: Web application firewall exclusion lists in Azure Application Gateway - Azure portal
+description: This article provides information on Web Application Firewall exclusion lists configuration in Application Gateway with the Azure portal.
 services: web-application-firewall
 author: vhorne
 ms.service: web-application-firewall
-ms.date: 02/10/2022
+ms.date: 03/08/2022
 ms.author: victorh
 ms.topic: conceptual 
 ms.custom: devx-track-azurepowershell
 ---
 
-# Web Application Firewall request size limits and exclusion lists
+# Web Application Firewall exclusion lists
 
-The Azure Application Gateway Web Application Firewall (WAF) provides protection for web applications. This article describes WAF request size limits and exclusion lists configuration. These settings are located in the WAF Policy associated to your Application Gateway. To learn more about WAF Policies, see [Azure Web Application Firewall on Azure Application Gateway](ag-overview.md) and [Create Web Application Firewall policies for Application Gateway](create-waf-policy-ag.md)
-
-## WAF exclusion lists
-
-![Request size limits](../media/application-gateway-waf-configuration/waf-policy.png)
+The Azure Application Gateway Web Application Firewall (WAF) provides protection for web applications. This article describes the configuration for WAF exclusion lists. These settings are located in the WAF Policy associated to your Application Gateway. To learn more about WAF Policies, see [Azure Web Application Firewall on Azure Application Gateway](ag-overview.md) and [Create Web Application Firewall policies for Application Gateway](create-waf-policy-ag.md)
 
 Sometimes Web Application Firewall (WAF) might block a request that you want to allow for your application. WAF exclusion lists allow you to omit certain request attributes from a WAF evaluation. The rest of the request is evaluated as normal.
 
 For example, Active Directory inserts tokens that are used for authentication. When used in a request header, these tokens can contain special characters that may trigger a false positive from the WAF rules. By adding the header to an exclusion list, you can configure WAF to ignore the header, but WAF still evaluates the rest of the request.
 
 Exclusion lists are global in scope.
 
+To set exclusion lists in the Azure portal, configure **Exclusions** in the WAF policy resource's **Policy settings** page:
+
+![Screenshot of the Azure portal that shows the exclusions configuration for the W A F policy.](../media/application-gateway-waf-configuration/waf-policy-exclusions.png)
+
+## Attributes
+
 The following attributes can be added to exclusion lists by name. The values of the chosen field aren't evaluated against WAF rules, but their names still are (see Example 1 below, the value of the User-Agent header is excluded from WAF evaluation). The exclusion lists remove inspection of the field's value.
 
 * Request Headers
@@ -49,13 +51,13 @@ In all cases matching is case insensitive and regular expression aren't allowed
 > [!NOTE]
 > For more information and troubleshooting help, see [WAF troubleshooting](web-application-firewall-troubleshoot.md).
 
-### Examples
+## Examples
 
 [!INCLUDE [updated-for-az](../../../includes/updated-for-az.md)]
 
 The following examples demonstrate the use of exclusions.
 
-#### Example 1
+### Example 1
 
 In this example, you want to exclude the user-agent header. The user-agent request header contains a characteristic string that allows the network protocol peers to identify the application type, operating system, software vendor, or software version of the requesting software user agent. For more information, see [User-Agent](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent).
 
@@ -69,7 +71,7 @@ $exclusion1 = New-AzApplicationGatewayFirewallExclusionConfig `
    -SelectorMatchOperator "Equals" `
    -Selector "User-Agent"
 ```
-#### Example 2
+### Example 2
 
 This example excludes the value in the *user* parameter that is passed in the request via the URL. For example, say it’s common in your environment for the user field to contain a string that the WAF views as malicious content, so it blocks it.  You can exclude the user parameter in this case so that the WAF doesn't evaluate anything in the field.
 
@@ -83,28 +85,6 @@ $exclusion2 = New-AzApplicationGatewayFirewallExclusionConfig `
 ```
 So if the URL `http://www.contoso.com/?user%281%29=fdafdasfda` is passed to the WAF, it won't evaluate the string **fdafdasfda**, but it will still evaluate the parameter name **user%281%29**. 
 
-## WAF request size limits
-
-
-
-Web Application Firewall allows you to configure request size limits within lower and upper bounds. The following two size limits configurations are available:
-
-- The maximum request body size field is specified in kilobytes and controls overall request size limit excluding any file uploads. This field has a minimum value of 8 KB and a maximum value of 128 KB. The default value for request body size is 128 KB.
-- The file upload limit field is specified in MB and it governs the maximum allowed file upload size. This field can have a minimum value of 1 MB and the following maximums:
-
-   - 100 MB for v1 Medium WAF gateways
-   - 500 MB for v1 Large WAF gateways
-   - 750 MB for v2 WAF gateways 
-
-The default value for file upload limit is 100 MB.
-
-For CRS 3.2 (on the WAF_v2 SKU) and newer, these limits are as follows when using a WAF Policy for Appplication Gateway:
-   
-   - 2MB request body size limit
-   - 4GB file upload limit 
-
-WAF also offers a configurable knob to turn the request body inspection on or off. By default, the request body inspection is enabled. If the request body inspection is turned off, WAF doesn't evaluate the contents of HTTP message body. In such cases, WAF continues to enforce WAF rules on headers, cookies, and URI. If the request body inspection is turned off, then maximum request body size field isn't applicable and can't be set. Turning off the request body inspection allows for messages larger than 128 KB to be sent to WAF, but the message body isn't inspected for vulnerabilities.
-
 ## Next steps
 
 After you configure your WAF settings, you can learn how to view your WAF logs. For more information, see [Application Gateway diagnostics](../../application-gateway/application-gateway-diagnostics.md#diagnostic-logging).

articles/web-application-firewall/ag/application-gateway-waf-request-size-limits.md

@@ -0,0 +1,55 @@
+---
+title: Web application firewall request size limits in Azure Application Gateway - Azure portal
+description: This article provides information on Web Application Firewall request size limits in Application Gateway with the Azure portal.
+services: web-application-firewall
+author: vhorne
+ms.service: web-application-firewall
+ms.date: 03/08/2022
+ms.author: victorh
+ms.topic: conceptual 
+ms.custom: devx-track-azurepowershell
+---
+
+# Web Application Firewall request size limits
+
+Web Application Firewall allows you to configure request size limits within lower and upper bounds.
+
+Request size limits are global in scope.
+
+## Limits
+
+The following two size limits configurations are available:
+
+- The maximum request body size field is specified in kilobytes and controls overall request size limit excluding any file uploads. This field has a minimum value of 8 KB and a maximum value of 128 KB. The default value for request body size is 128 KB.
+- The file upload limit field is specified in MB and it governs the maximum allowed file upload size. This field can have a minimum value of 1 MB and the following maximums:
+
+   - 100 MB for v1 Medium WAF gateways
+   - 500 MB for v1 Large WAF gateways
+   - 750 MB for v2 WAF gateways 
+
+The default value for file upload limit is 100 MB.
+
+For CRS 3.2 (on the WAF_v2 SKU) and newer, these limits are as follows when using a WAF policy for Appplication Gateway:
+   
+   - 2MB request body size limit
+   - 4GB file upload limit 
+
+To set request size limits in the Azure portal, configure **Global parameters** in the WAF policy resource's **Policy settings** page:
+
+![Screenshot of the Azure portal that shows the request size limits configuration for the W A F policy.](../media/application-gateway-waf-request-size-limits/waf-policy-limits.png)
+
+## Request body inspection
+
+WAF offers a configuration setting to enable or disable the request body inspection. By default, the request body inspection is enabled. If the request body inspection is disabled, WAF doesn't evaluate the contents of an HTTP message's body. In such cases, WAF continues to enforce WAF rules on headers, cookies, and URI. If the request body inspection is turned off, then maximum request body size field isn't applicable and can't be set.
+
+Turning off the request body inspection allows for messages larger than 128 KB to be sent to WAF, but the message body isn't inspected for vulnerabilities.
+
+When your WAF receives a request that's over the size limit, the behavior depends on the mode of your WAF and the version of the managed ruleset you use.
+- When your WAF policy is in prevention mode, WAF blocks requests that are over the size limit.
+- When your WAF policy is in detection mode:
+  - If you use CRS 3.2 or newer, WAF inspects the body up to the limit specified and ignores the rest.
+  - If you use CRS 3.1 or earlier, WAF inspects the entire message.
+
+## Next steps
+
+After you configure your WAF settings, you can learn how to view your WAF logs. For more information, see [Application Gateway diagnostics](../../application-gateway/application-gateway-diagnostics.md#diagnostic-logging).

articles/web-application-firewall/ag/web-application-firewall-troubleshoot.md

@@ -136,7 +136,7 @@ With this information, and the knowledge that rule 942130 is the one that matche
 
 - Use an Exclusion List
 
-   See [WAF configuration](application-gateway-waf-configuration.md#waf-exclusion-lists) for more information about exclusion lists.
+   See [WAF configuration](application-gateway-waf-configuration.md) for more information about exclusion lists.
 - Disable the rule.
 
 ### Using an exclusion list
@@ -171,7 +171,7 @@ In this example, you can see that the field where the *1=1* string was entered i
 
 :::image type="content" source="../media/web-application-firewall-troubleshoot/fiddler-1.png" alt-text="Screenshot of the Progress Telerik Fiddler Web Debugger. In the Raw tab, 1 = 1 is visible after the name text1." border="false":::
 
-This is a field you can exclude. To learn more about exclusion lists, See [Web application firewall request size limits and exclusion lists](application-gateway-waf-configuration.md#waf-exclusion-lists). You can exclude the evaluation in this case by configuring the following exclusion:
+This is a field you can exclude. To learn more about exclusion lists, See [Web application firewall exclusion lists](application-gateway-waf-configuration.md). You can exclude the evaluation in this case by configuring the following exclusion:
 
 ![WAF exclusion](../media/web-application-firewall-troubleshoot/waf-exclusion-02.png)
 

articles/web-application-firewall/media/application-gateway-waf-configuration/waf-exclusion.png

@@ -57,8 +57,10 @@
       href: ./ag/custom-waf-rules-overview.md
     - name: Geomatch custom rules
       href: ./ag/geomatch-custom-rules.md
-    - name: Request size limits and exclusion lists
+    - name: Exclusion lists
       href: ./ag/application-gateway-waf-configuration.md
+    - name: Request size limits
+      href: ./ag/application-gateway-waf-request-size-limits.md
     - name: WAF Policy overview
       href: ./ag/policy-overview.md
     - name: Bot protection overview