Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
747 questions
Can I set WAF rules to Log by default and override specific ones to Block?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 28.000000000000004%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Rupesh Sonawane
0
Reputation points
Hey, I have set the WAF in Prevention mode to allow my custom rules like Rate limiting to be in effect with Blocking action. However as I was facing so many false positives with Microsoft_DefaultRuleSet 2.1, I changed the action as Log for it so that I can monitor the false postiives and do exclusions. Now I want to enable individual rules to be in Block mode while keeping others in Log action. When I'm performing this, it is only allowing me to set the action to either Log or Anomalyscoring. Although, even keeping Anomalyscoring action it Logs the request with Rule 949110 (The default rule which triggers when anomaly score has exceeded) and do not Blocks it! (Showing Log on Anomaly in portal)
Can anyone help me here or clarify if there is a possibility to keep all the rules in Log action by default and then override the specific rules to perform real Blocking action?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 81%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Sai Prasanna Sinde 3,765 Reputation points Microsoft Vendor2025-02-10T08:44:42.8+00:00 Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
While the Azure portal might not provide a direct way to override the default action for specific rules within a managed rule set but you achieve it through other methods like below:
Azure WAF allows you to create custom rules that have higher priority than managed rules, you can create custom rules that match the specific conditions of the rules you want to block and set their action to block.."https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview#allowing-vs-blocking).") These custom rules will override the default Log action for those specific scenarios. Please refer the Microsoft document.
Or else, you can go for Azure CLI which will provide more granular control over WAF policies. You can use commands like az network application-gateway waf-policy managed-rules override add (for Azure Application Gateway) to override the action for specific rules within a managed rule set. This allows you to set the desired action (Block) for individual rules while keeping the default action (Log) for the rest of the rule set.
As you mentioned that even with the Anomaly Scoring action, requests are logged but not blocked. This might be due to the anomaly score threshold not being reached. The message that's logged when a WAF rule matches traffic includes the action value matched. If the total anomaly score of all matched rules is 5 or greater, and the WAF policy is running in Prevention mode, the request will trigger a mandatory anomaly rule with the action value blocked and the request will be stopped.
Make sure that the anomaly score threshold is set appropriately in your WAF policy and also review the WAF logs to see the anomaly scores generated by different rules and adjust the threshold accordingly.
To minimize false positives and the need for extensive rule overrides, you can use exclusion lists to fine-tune WAF rules and prevent them from triggering on legitimate traffic. You can configure exclusions for various request attributes, such as headers, cookies, and query string parameters. Please refer the fixing false positive & disabling rules documents to avoid false positives.
Before implementing overrides or exclusions, it is important to identify the specific rule IDs that are causing false positives. You can find this information in the WAF logs. Tools like Log Analytics can help with detailed analysis of WAF logs and identification of problematic rules.
Kindly let us know if the above helps or you need further assistance on this issue.
-
Rupesh Sonawane 0 Reputation points
2025-02-10T13:23:04.66+00:00 Hey, @Sai Prasanna Sinde Thanks for the clarity!
As you mentioned If the total anomaly score of all matched rules is 5 or greater, and the WAF policy is running in Prevention mode, the request will trigger a mandatory anomaly rule with the action value blocked and the request will be stopped. I have been using Terraform to deploy Frontdoor+WAF. Where I have kept Log action at the Rule set level along with WAF in Prevention Mode. As you can see in the above screenshot, anomaly score exceeded for one of the request and instead of Blocking, it is logging it (action_s=Log). I'm not really sure why this thing is happening, even we have the Microsoft's document clearly stating it as a proof.Also, thanks a lot about suggesting Azure CLI option, I'll have to check if it works for Frontdoor with WAF too, keeping my concern in mind about to keep Managed Rule set in Log mode and bring individual rules to Block action.
Sign in to comment
Sign in to answer