Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,194 questions
How to effectively tune Azure WAF without exhausting too many resources
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 92%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
Jyotirmoy Pan
0
Reputation points
We have Azure WAF rules in prevention mode in both Azure Front Door and APIM gateway. We are facing this issue for a long term due to so many false positives blocking requests from our end users, frustrating us and users as there is no predictive pattern.
In the past the same question has been asked and the answer is to tune WAF and keep adding to exclusion list. However, on an enterprise scale this is not easy to achieve. For example, we have approximately 0K WAF blocks. Out of these 99% seem to be rightly prevented but 1% or about 100 requests are false positives. Now we then need a dedicated team just to go through these 100 requests and add them to exclusion lists. This is both exhausting and time consuming and non-sustainable.
We would like to understand if there are any solutions that can actually provide us a list of false positives and add them to exclusion lists with single point approvals instead of the entire process being manual. If not, how is Microsoft envisaging enterprises to manage this? We would need some guidance on the best practices as this has been one of our biggest pain areas around improving end user experience.
{count} votes
-
Jyotirmoy Pan 0 Reputation points
2024-11-07T15:35:30.6933333+00:00 *10K requests
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 26,536 Reputation points Microsoft Employee2024-11-07T19:48:33.59+00:00 Thank you for reaching out.I understand you are facing issue regarding false positive for you WAF and you wish to know if there is any solution available to tackle this problem at scale
Based on your statements above
We would like to understand if there are any solutions that can actually provide us a list of false positives and add them to exclusion lists with single point approvals instead of the entire process being manual. If not, how is Microsoft envisaging enterprises to manage this?
Currently we do not have an out of the box solution for this where a list of false positives can be provided and adding them to the exclusion list.
This great feedback and it will help if you could file this on our feedback portal here. Meanwhile I will also share this feedback with the team internally.
If it helps you can leverage Azure WAF Rest API to automate and streamline the process of creating exclusion rules. As an example you can also use Azure Logic App to invoke the rest API as showcased here which can help tackle this problem at scale.
We would need some guidance on the best practices as this has been one of our biggest pain areas around improving end user experience.
As you mentioned that you are already fine tuning WAF and adding exclusion list.
There can be additional ways using which you can avoid false positives in WAF few are discussed in this blog post here where you can use disable rule in some scenarios to avoid false positives or add specific exclusions or custom rules
You can also go through this WAF tutorial (16.30) to understand WAF tuning basics and examples for how WAF rules are triggered for a particular request using pattern match (39.10) and see if that helps in avoiding False positive in your scenario.
Hope this helps! Please let me know if you have any questions. Thank you!
Sign in to comment
Sign in to answer