0

I have an App GW WAF v2 where I need to set up a custom rule to check for the presence of a Request Header. I couldn't get it to work. So next I set up a very simple check.

"customRules":[{
    "name":"blockTEST",
    "priority":1,
    "ruleType":"MatchRule",
    "matchConditions":
    [{"matchVariables":
        [{"variableName":"RequestHeaders","selector":"My-Header"}],
        "operator":"Contains",
        "negationConditon":false,
        "matchValues":["evil"],
        "transforms":["Lowercase"]
    }],
    "action":"Block"
}]

I am submitting a request with "My-Header" as a header and with the value of "evil". But it doesn't block it. Have also tried various comparison operators including Starts With, Contains, Equals, ... but nothing works

So far the only custom rule that works is when I set a Block based on IP. But thats not what I want.

Any suggestions? Jake.

JakeUT
  • 359
  • 1
  • 4
  • 16

1 Answers1

0

I tried to reproduce the same in my environment and got the results successfully like below:

I created application gateway WAF v2 and created a sample custom rule like below:

enter image description here

When I check the request of my header it blocks succcessfully like below:

$variable = New-AzApplicationGatewayFirewallMatchVariable `
   -VariableName RequestHeaders `
   -Selector User-Agent

$condition = New-AzApplicationGatewayFirewallCondition `
   -MatchVariable $variable `
   -Operator Regex `
   -MatchValue "evilbot" `
   -Transform Lowercase `
   -NegationCondition $False

$rule = New-AzApplicationGatewayFirewallCustomRule `
   -Name blockEvilBot `
   -Priority 2 `
   -RuleType MatchRule `
   -MatchCondition $condition `
   -Action Block

   $policy = New-AzApplicationGatewayFirewallPolicySetting -Mode "Prevention"
$wafPolicy = New-AzApplicationGatewayFirewallPolicy -Name <PolicyName>  -ResourceGroup <RGNAME> -Location eastus -CustomRule $rule

enter image description here

If rule are not work properly try to check the WAF policy is linked to the appropriate listener of your Application Gateway like below:

enter image description here

  • Make sure on Priority determines the order of rule value the acceptable range is between 1 and 100. The rule is evaluated early when the value is lower.
  • Each custom rule must have a different value. Priority 40 rules are reviewed before priority 80 rules.
  • Make sure the header value is exactly "evil" (case insensitive) and rid of any leading or trailing spaces or other characters.

References:

Application Gateway WAF v2 Custom Rules by Yannic Graber

Azure Application Firewall (WAF) v2 custom rules on Application Gateway | Microsoft Learn

Imran
  • 3,875
  • 2
  • 3
  • 12
  • Does the WAF have to be in Prevention mode for it to work? Reason I ask is because the ipblock rule was working for me even when the WAF was in Detection Mode. – JakeUT Feb 21 '23 at 14:20
  • Web application firewall doesn't block incoming requests when it's operating in Detection mode. – Imran Feb 21 '23 at 14:37
  • ok...will try again in prevention mode for the custom rule and report back – JakeUT Feb 21 '23 at 14:38
  • I switched to Prevention mode and its still not working. Let me research this some more. But I appreciate your help and time in responding! – JakeUT Feb 21 '23 at 19:39
  • Your screenshot brings up a question. I have the Application Gateway listed in the "Associated Application Gateways" section. Do I also need to explicitly include the HTTP Listener as well? – JakeUT Feb 21 '23 at 19:47
  • Added the HTTP Listener explicitly but doesnt seem to make a difference. Checking other options. – JakeUT Feb 21 '23 at 19:56