Can I set WAF rules to Log by default and override specific ones to Block?

Rupesh Sonawane 0

Hey, I have set the WAF in Prevention mode to allow my custom rules like Rate limiting to be in effect with Blocking action. However as I was facing so many false positives with Microsoft_DefaultRuleSet 2.1, I changed the action as Log for it so that I can monitor the false postiives and do exclusions. Now I want to enable individual rules to be in Block mode while keeping others in Log action. When I'm performing this, it is only allowing me to set the action to either Log or Anomalyscoring. Although, even keeping Anomalyscoring action it Logs the request with Rule 949110 (The default rule which triggers when anomaly score has exceeded) and do not Blocks it! (Showing Log on Anomaly in portal)
Can anyone help me here or clarify if there is a possibility to keep all the rules in Log action by default and then override the specific rules to perform real Blocking action?

Sai Prasanna Sinde 3,845 Reputation points Microsoft Vendor

2025-02-10T08:44:42.8+00:00

Hi @Rupesh Sonawane

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

While the Azure portal might not provide a direct way to override the default action for specific rules within a managed rule set but you achieve it through other methods like below:

Azure WAF allows you to create custom rules that have higher priority than managed rules, you can create custom rules that match the specific conditions of the rules you want to block and set their action to block.."https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview#allowing-vs-blocking).") These custom rules will override the default Log action for those specific scenarios. Please refer the Microsoft document.

Or else, you can go for Azure CLI which will provide more granular control over WAF policies. You can use commands like az network application-gateway waf-policy managed-rules override add (for Azure Application Gateway) to override the action for specific rules within a managed rule set. This allows you to set the desired action (Block) for individual rules while keeping the default action (Log) for the rest of the rule set.

As you mentioned that even with the Anomaly Scoring action, requests are logged but not blocked. This might be due to the anomaly score threshold not being reached. The message that's logged when a WAF rule matches traffic includes the action value matched. If the total anomaly score of all matched rules is 5 or greater, and the WAF policy is running in Prevention mode, the request will trigger a mandatory anomaly rule with the action value blocked and the request will be stopped.

Make sure that the anomaly score threshold is set appropriately in your WAF policy and also review the WAF logs to see the anomaly scores generated by different rules and adjust the threshold accordingly.

To minimize false positives and the need for extensive rule overrides, you can use exclusion lists to fine-tune WAF rules and prevent them from triggering on legitimate traffic. You can configure exclusions for various request attributes, such as headers, cookies, and query string parameters. Please refer the fixing false positive & disabling rules documents to avoid false positives.

Before implementing overrides or exclusions, it is important to identify the specific rule IDs that are causing false positives. You can find this information in the WAF logs. Tools like Log Analytics can help with detailed analysis of WAF logs and identification of problematic rules.

Kindly let us know if the above helps or you need further assistance on this issue.
Rupesh Sonawane 0 Reputation points

2025-02-10T13:23:04.66+00:00

Hey, @Sai Prasanna Sinde Thanks for the clarity!
As you mentioned If the total anomaly score of all matched rules is 5 or greater, and the WAF policy is running in Prevention mode, the request will trigger a mandatory anomaly rule with the action value blocked and the request will be stopped. I have been using Terraform to deploy Frontdoor+WAF. Where I have kept Log action at the Rule set level along with WAF in Prevention Mode. As you can see in the above screenshot, anomaly score exceeded for one of the request and instead of Blocking, it is logging it (action_s=Log). I'm not really sure why this thing is happening, even we have the Microsoft's document clearly stating it as a proof.

Also, thanks a lot about suggesting Azure CLI option, I'll have to check if it works for Frontdoor with WAF too, keeping my concern in mind about to keep Managed Rule set in Log mode and bring individual rules to Block action.
Vallepu Venkateswarlu 80 Reputation points Microsoft Vendor

2025-02-11T06:45:02.4033333+00:00

Hi @ Rupesh Sonawane

As there is no option to change the action from the portal in Microsoft_DefaultRuleSet_2.1, you can change it using the Azure CLI command as shown below.**
**
az network front-door waf-policy managed-rules override add --rule-group-id "MS-ThreatIntel-AppSec" --rule-id "99030001" --action "Block" --resource-group "Venkat-RG" --subscription "" --policy-name "venkatwaf" --type ""

Reference: https://learn.microsoft.com/en-us/cli/azure/network/front-door/waf-policy/managed-rules/override?view=azure-cli-latest#az-network-front-door-waf-policy-managed-rules-override-add

I hope this is helpful! Do not hesitate to let me know if you have any other questions.
Vallepu Venkateswarlu 80 Reputation points Microsoft Vendor

2025-02-11T11:44:39.9566667+00:00

Hi @Rupesh Sonawane

Welcome to the Microsoft Q&A Platform

Thank you for reaching out, & I hope you are doing well.

Rule 949110 (The default rule which triggers when anomaly score has exceeded) and do not Blocks it! (Showing Log on Anomaly in portal)

If your policy is in prevention mode but is still not blocking the request even when the score reaches 5 or greater, it may be because you changed the anomaly score action to something other than Block. Kindly update the action to block.

As per Ms. Doc: If the anomaly score is 5 or greater and the WAF is in prevention mode, the request is blocked. If the anomaly score is 5 or greater and the WAF is in detection mode, the request is logged but not blocked.

Reference: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=drs21#anomaly-scoring

Can anyone help me here or clarify if there is a possibility to keep all the rules in Log action by default and then override the specific rules to perform real Blocking action?

As there is no option to change the rule action block as it supports only Log and Anomaly scrore in Microsoft_DefaultRuleSet_2.1.

I hope this is helpful! Do not hesitate to let me know if you have any other questions.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Vallepu Venkateswarlu 80 Reputation points Microsoft Vendor

2025-02-11T16:53:50.62+00:00

Sorry for the inconvenience

The CLI command is only working for log to Anomalyscoring and Anomalyscoring to log, as it does not change to any other actions like block; this has been tested from my end as well, as same as portal.

In your case, if Anomalyscoring is set but not blocking, change the Anomas scoring action to block. So in this case if Anomas's score reaches 5 or higher, the action will be blocked automatically.
Vallepu Venkateswarlu 80 Reputation points Microsoft Vendor

2025-02-12T05:21:41.6633333+00:00

Hi @Rupesh Sonawane

I just wanted to follow up and see if you had a chance to review my response in the comment to your question.

Hope this helps!

If the above is unclear and/or you are unsure about something, add a comment below.
Vallepu Venkateswarlu 80 Reputation points Microsoft Vendor

2025-02-12T12:20:25.4733333+00:00

Hi @Rupesh Sonawane

I just wanted to follow up and see if you had a chance to review my response in the comment to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.
Rupesh Sonawane 0 Reputation points

2025-02-12T13:40:49.4566667+00:00

Hey @Vallepu Venkateswarlu , thanks for clearing this out that we cannot set WAF to Block action for individual rule when Managed Rule set is set to Log.
In order to achieve this, I may need to set the WAF Rule set on Block action while all the rules should set to Log (to prevent false positives) except the rules which I think are ready for Block action must be brought to Anomalyscoring action. But again this will be a real challenge to easily identify the rules which could have contributed to the Rule trigger if they were set to anomalyscoring, through Log Analytics.
Vallepu Venkateswarlu 80 Reputation points Microsoft Vendor

2025-02-14T05:00:38.0933333+00:00

Hi @Rupesh Sonawane

I just wanted to follow up and see if you had a chance to review my response to your question.

Please let us know if it was helpful, and feel free to reach out if you have any further queries.

1 answer

Vallepu Venkateswarlu 80 Reputation points Microsoft Vendor

2025-02-13T11:31:39.5266667+00:00
Hi @Rupesh Sonawane

Thanks for your response.

But again this will be a real challenge to easily identify the rules which could have contributed to the Rule trigger if they were set to anomalyscoring, through Log Analytics.

To answer your questions,here is the KQL query to check which requests are being blocked by anomalyscoring in the WAF policy.

AzureDiagnostics | where Category =="ApplicationGatewayFirewallLog" | where Message contains "Anomaly Score Exceeded" | project TimeGenerated, Category,ruleId_s,Resource,Message,action_s

Output

Note: Block and Allow actions are available only for WAF Policy for Regional WAF (Application Gateway), not for Global WAF (Front Door).

Portal result of Regional WAF( Application Gateway)

I hope this helps to resolve your issue!

If this helps to resolve your query, please click Accept Answer on this post to assist other community members facing similar issues in finding the correct solution.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Can I set WAF rules to Log by default and override specific ones to Block?

1 answer

Your answer