Merge pull request #105522 from teresayao/Manganese

update overview with exclusion

Author: American-Dipper

articles/web-application-firewall/afds/afds-overview.md

@@ -72,7 +72,7 @@ You can configure custom rules WAF as follows:
 
 ### Azure-managed rule sets
 
-Azure-managed rule sets provide an easy way to deploy protection against a common set of security threats. Since such rulesets are managed by Azure, the rules are updated as needed to protect against new attack signatures. At public preview, the Azure-managed Default Rule Set includes rules against the following threat categories:
+Azure-managed rule sets provide an easy way to deploy protection against a common set of security threats. Since such rulesets are managed by Azure, the rules are updated as needed to protect against new attack signatures. Azure-managed Default Rule Set includes rules against the following threat categories:
 
 - Cross-site scripting
 - Java attacks
@@ -87,6 +87,8 @@ Azure-managed rule sets provide an easy way to deploy protection against a commo
 The version number of the Default Rule Set increments when new attack signatures are added to the rule set.
 Default Rule Set is enabled by default in Detection mode in your WAF policies. You can disable or enable individual rules within the Default Rule Set to meet your application requirements. You can also set specific actions (ALLOW/BLOCK/REDIRECT/LOG) per rule.
 
+Sometimes you may need to omit certain request attributes from a WAF evaluation. A common example is Active Directory-inserted tokens that are used for authentication. You may configure an exclusion list for a managed rule, rule group, or for the entire rule set.  
+
 The Default action is to BLOCK. Additionally, custom rules can be configured in the same WAF policy if you wish to bypass any of the pre-configured rules in the Default Rule Set.
 
 Custom rules are always applied before rules in the Default Rule Set are evaluated. If a request matches a custom rule, the corresponding rule action is applied. The request is either blocked or passed through to the back-end. No other custom rules or the rules in the Default Rule Set are processed. You can also remove the Default Rule Set from your WAF policies.

articles/web-application-firewall/afds/waf-front-door-exclusion.md

@@ -0,0 +1,47 @@
+---
+title: Web application firewall exclusion lists in Azure Front Door - Azure portal
+description: This article provides information on  exclusion lists configuration in Azure Front with the Azure portal.
+services: web-application-firewall
+author: vhorne
+ms.service: web-application-firewall
+ms.date: 02/25/2020
+ms.author: victorh
+ms.topic: conceptual
+---
+
+# Web Application Firewall (WAF) with Front Door Service exclusion lists 
+
+Sometimes Web Application Firewall (WAF) might block a request that you want to allow for your application. For example, Active Directory inserts tokens that are used for authentication. These tokens can contain special characters that may trigger a false positive from the WAF rules. WAF exclusion lists allow you to omit certain request attributes from a WAF evaluation.  An exclusion list can be configured using  [PowserShell](https://docs.microsoft.com/powershell/module/az.frontdoor/New-AzFrontDoorWafManagedRuleExclusionObject?view=azps-3.5.0), [Azure CLI](https://docs.microsoft.com/cli/azure/ext/front-door/network/front-door/waf-policy/managed-rules/exclusion?view=azure-cli-latest#ext-front-door-az-network-front-door-waf-policy-managed-rules-exclusion-add), [Rest API](https://docs.microsoft.com/rest/api/frontdoorservice/webapplicationfirewall/policies/createorupdate), or the Azure portal. The following example shows the Azure portal configuration. 
+## Configure exclusion lists using the Azure portal
+**Manage exclusions** is accessible from WAF portal under **Managed rules**
+
+![Manage exclusion](../media/waf-front-door-exclusion/exclusion1.png)
+![Manage exclusion_add](../media/waf-front-door-exclusion/exclusion2.png)
+
+ An example exclusion list:
+![Manage exclusion_define](../media/waf-front-door-exclusion/exclusion3.png)
+
+This example excludes the value in the *user* header field. A valid request may include the *user* field that contains a string that triggers a SQL injection rule. You can exclude the *user* parameter in this case so that the WAF rule doesn't evaluate anything in the field.
+
+The following attributes can be added to exclusion lists by name. The values of the fields you use  aren't evaluated against WAF rules, but their names are evaluated. The exclusion lists remove inspection of the field's value.
+
+* Request header name
+* Request cookie name
+* Query string args name
+* Request body post args name
+
+You can specify an exact request header, body, cookie, or query string attribute match.  Or, you can optionally specify partial matches. The following operators are the supported match criteria:
+
+- **Equals**:  This operator is used for an exact match. For example, to select a header named **bearerToken**, use the equals operator with the selector set as **bearerToken**.
+- **Starts with**: This operator matches all fields that start with the specified selector value.
+- **Ends with**:  This operator matches all request fields that end with the specified selector value.
+- **Contains**: This operator matches all request fields that contain the specified selector value.
+- **Equals any**: This operator matches all request fields. * is the selector value.
+
+Header and cookie names are case insensitive.
+
+You can apply exclusion list to all rules within the managed rule set, to rules for a specific rule group, or to a single rule as shown in the previous example. 
+
+## Next steps
+
+After you configure your WAF settings, learn how to view your WAF logs. For more information, see [Front Door diagnostics](../afds/waf-front-door-monitor.md).

articles/web-application-firewall/media/waf-front-door-exclusion/exclusion1.png

@@ -50,6 +50,8 @@
     items:
     - name: Custom rules
       href: ./afds/waf-front-door-custom-rules.md
+    - name: Exclusion lists
+      href: ./afds/waf-front-door-exclusion.md
     - name: Policy settings
       href: ./afds/waf-front-door-policy-settings.md
     - name: Geo-filtering