Azure WAF best practice for specific rules

Question

Azure WAF best practice for specific rules

Eddie Vincent 205

Hi,

Looking for some very specific help regarding Azure Web application rules.

Some URI'S are hitting various WAF rules within the OWASP Ruleset (using version 3.2 currently) and I am looking to exclude these from those specific rules (2 in question being hit) can the ruleset/rules in question be changed specifically for selected URI's? and if yes what is the best method to achieve this?Excluding the URI in question looks like a fairly broad option (I have successfully achieved this with a custom rule) however it seems as if a mixture of the two rule types (OWASP and Custom) is needed for this specific requirement, any advise would be appreciated.

Note: I am aware that the OWASP ruleset has an update pending however all information I have currently found suggests that upgrading would not effect this behaviour.

Thanks!!

Sina Salam 25,926 Reputation points Volunteer Moderator

2025-09-18T16:02:20.9933333+00:00
Hello Eddie Vincent,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you need Azure WAF best practice for specific rules.

The Azure WAF best practice for specific rules is the following specific for your scenario:

Exclude specific rule for specific URI especially for ModSecurity (Apache/Nginx) with OWASP CRS 3.2: SecRule REQUEST_URI "@beginsWith /your/uri" \ "id:10001, phase:1, pass, nolog, ctl:ruleRemoveById=942430"

Removes rule 942430 only for /your/uri- https://coreruleset.org/docs/2-how-crs-works/2-3-false-positives-and-tuning/

Exclude specific parameter from rule: SecRule REQUEST_URI "@beginsWith /your/uri" \ "id:10002, phase:1, pass, nolog, ctl:ruleRemoveTargetById=942430;ARGS:user_id"

Removes user_id from rule 942430 - https://stackoverflow.com/questions/78664420/modsecurity-blocks-after-despite-rule-exclusions

Reduce anomaly score instead of disabling: SecRule REQUEST_URI "@beginsWith /your/uri" \ "id:10003, phase:1, pass, setvar:'tx.anomaly_score=-1'"

Reduces score to avoid blocking - https://coreruleset.org/docs/2-how-crs-works/2-3-false-positives-and-tuning/

More so, for Azure WAF with OWASP CRS 3.2:

Use custom rule to allow specific URI
MatchVariable: RequestUri Operator: Equals Value: /smail/page/2 Action: Allow

This bypasses all WAF inspection for this URI - https://free.blessedness.top/en-us/answers/questions/1428650/how-to-disable-specific-owasp-3-2-rule-for-a-speci

Use per-URI WAF policy by:

Create a separate WAF policy for /smail/page/2

Disable specific rule (e.g., 942430) in that policy

Associate policy via path-based routing as you see in this link - https://free.blessedness.top/en-us/answers/questions/1428650/how-to-disable-specific-owasp-3-2-rule-for-a-speci

Also, you need to be aware that, there is limitations:

Query strings (e.g., ?post=66) are not part of RequestUri

Cannot exclude based on CookieName, HeaderName, etc. - Check for more lists here: https://free.blessedness.top/en-us/answers/questions/2277818/how-to-add-exclusions-for-restricted-file-access-a

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.
Ravi Varma Mudduluru 2,025 Reputation points Microsoft External Staff Moderator

2025-09-19T16:25:38.36+00:00

Hello @Eddie Vincent,

We haven't heard back from you regarding the last response from Sina Salam and wanted to check if you had the opportunity to review our previous post.

Please "up vote" if the information helped you. This will help us and others in the community as well
Ravi Varma Mudduluru 2,025 Reputation points Microsoft External Staff Moderator

2025-09-22T19:03:45.22+00:00

Hello @Eddie Vincent,

We haven't heard back from you regarding the last response from Sina Salam and wanted to check if you had the opportunity to review our previous post.
Eddie Vincent 205 Reputation points

2025-10-01T11:05:29.1933333+00:00

Thank you and apologies for the delay @Ravi Varma Mudduluru

The core of the issue is a little more nuanced than above.

Basically it possible in to access a specific field from a request body and run regex checks against it's value? All our requests are sent to the same endpoint in this specific scenario.

Example below (including link):

Imagine a request body; { "linkToThing": "https://base-url/1234-5678/xyz?=8877" } OWASP rule 12345 might block this request because linkToThing contains the character ? .

Instead of just excluding rule 12345, is it possible to write a 'Custom rule' that knows and allows for values of linkToThing to contain a '?' at position 31, but still check the remainder of linkToThing 's value for ? characters, in a manner similar to 12345?

Hopefully this makes sense but happy to explain further if required.
Ravi Varma Mudduluru 2,025 Reputation points Microsoft External Staff Moderator

2025-10-01T21:46:19.65+00:00
Hello @Eddie Vincent

You have the option to set up a custom rule that permits requests to certain URIs, which will let you bypass the WAF inspection for those specific URIs. This action allows all traffic to that URI without inspection.

MatchVariable: RequestUri Operator: Equals Value: /your/specific/uri Action: Allow

If you need to exclude specific OWASP rules for certain URIs, you can use ModSecurity rule syntax. For example, to disable rule 942430 for a particular URI. This ensures that the specified traffic is allowed through without being blocked by that rule.

SecRule REQUEST_URI "@beginsWith /your/uri" "id:10001, phase:1, pass, nolog, ctl:ruleRemoveById=942430"

One option is to set up a separate WAF policy for the specific URI, disable the rules causing issues in that policy, and then link it to the route that processes that URI. This way, you can customize responses for the traffic on those routes.

If turning off rules isn't the best solution, you could also lower the anomaly score for certain URIs, which may help prevent those requests from being blocked.

SecRule REQUEST_URI "@beginsWith /your/uri" "id:10003, phase:1, pass, setvar:'tx.anomaly_score=-1'"

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Ravi Varma Mudduluru 2,025 Reputation points Microsoft External Staff Moderator

2025-10-02T22:16:42.4966667+00:00

Hello @Eddie Vincent,

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Kindly let us know if the above helps or you need further assistance on this issue.
Eddie Vincent 205 Reputation points

2025-10-06T12:41:00.55+00:00

Hi @Ravi Varma Mudduluru

Appreciate the response, Lowering the anomaly score for certain rules is an option.

To follow up my last question - the scenario I'm exploring here isn't the requestUri itself. It's a hardcoded url that's being sent in the requestBody.

Are you aware if you can run access or regex checks on a field called 'linkToThing' that is sent in a requestBody, with a value of a hardcoded url?

Thanks.
Ravi Varma Mudduluru 2,025 Reputation points Microsoft External Staff Moderator

2025-10-06T15:27:57.65+00:00
Hello @Eddie Vincent,

Regarding your question about inspecting values in a request body, you can indeed create custom rules based on specific fields within the JSON payload. While you can't directly access fields using a regex in the same way you might in a traditional programming environment, you can utilize custom rule syntax like so:

SecRule ARGS:linkToThing "@contains ?" "id:12345, phase:2, pass, nolog"

This will allow requests if linkToThing contains the '?' character. However, remember that WAF may still inspect the request based on other rules too.

Kindly let us know if the above helps or you need further assistance on this issue.
Eddie Vincent 205 Reputation points

2025-10-09T07:45:00.3666667+00:00

@Sina Salam Thanks for the response, almost there I think, one more question if you dont mind - regarding using this with JSON or Powershell.

I can see some examples in Create and use WAF v2 custom rules on Application Gateway - Azure Web Application Firewall | Micros… of the custom rules written in JSON / Powershell.

Do you have a JSON/Powershell version corresponding to the last example (below) that would be really helpful.

SecRule ARGS:linkToThing "@contains ?" "id:12345, phase:2, pass, nolog"
Thanmayi Godithi 1,715 Reputation points Microsoft External Staff Moderator

2025-10-15T06:23:42.5966667+00:00

Hi @Eddie Vincent,

Thank you for providing the requested details over "Private message".

We will get back to you shortly.

Thanks

Thanmayi

1 answer

Your answer

Ravi Varma Mudduluru 2,025 Reputation points Microsoft External Staff Moderator

2025-09-19T16:25:38.36+00:00

Hello @Eddie Vincent,

We haven't heard back from you regarding the last response from Sina Salam and wanted to check if you had the opportunity to review our previous post.

Please "up vote" if the information helped you. This will help us and others in the community as well
Ravi Varma Mudduluru 2,025 Reputation points Microsoft External Staff Moderator

2025-09-22T19:03:45.22+00:00

Hello @Eddie Vincent,

We haven't heard back from you regarding the last response from Sina Salam and wanted to check if you had the opportunity to review our previous post.
Eddie Vincent 205 Reputation points

2025-10-01T11:05:29.1933333+00:00

Thank you and apologies for the delay @Ravi Varma Mudduluru

The core of the issue is a little more nuanced than above.

Basically it possible in to access a specific field from a request body and run regex checks against it's value? All our requests are sent to the same endpoint in this specific scenario.

Example below (including link):

Imagine a request body; { "linkToThing": "https://base-url/1234-5678/xyz?=8877" } OWASP rule 12345 might block this request because linkToThing contains the character ? .

Instead of just excluding rule 12345, is it possible to write a 'Custom rule' that knows and allows for values of linkToThing to contain a '?' at position 31, but still check the remainder of linkToThing 's value for ? characters, in a manner similar to 12345?

Hopefully this makes sense but happy to explain further if required.
Ravi Varma Mudduluru 2,025 Reputation points Microsoft External Staff Moderator

2025-10-01T21:46:19.65+00:00

Hello @Eddie Vincent

You have the option to set up a custom rule that permits requests to certain URIs, which will let you bypass the WAF inspection for those specific URIs. This action allows all traffic to that URI without inspection.

MatchVariable: RequestUri Operator: Equals Value: /your/specific/uri Action: Allow

If you need to exclude specific OWASP rules for certain URIs, you can use ModSecurity rule syntax. For example, to disable rule 942430 for a particular URI. This ensures that the specified traffic is allowed through without being blocked by that rule.

SecRule REQUEST_URI "@beginsWith /your/uri" "id:10001, phase:1, pass, nolog, ctl:ruleRemoveById=942430"

One option is to set up a separate WAF policy for the specific URI, disable the rules causing issues in that policy, and then link it to the route that processes that URI. This way, you can customize responses for the traffic on those routes.

If turning off rules isn't the best solution, you could also lower the anomaly score for certain URIs, which may help prevent those requests from being blocked.

SecRule REQUEST_URI "@beginsWith /your/uri" "id:10003, phase:1, pass, setvar:'tx.anomaly_score=-1'"

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Ravi Varma Mudduluru 2,025 Reputation points Microsoft External Staff Moderator

2025-10-02T22:16:42.4966667+00:00

Hello @Eddie Vincent,

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Kindly let us know if the above helps or you need further assistance on this issue.
Eddie Vincent 205 Reputation points

2025-10-06T12:41:00.55+00:00

Hi @Ravi Varma Mudduluru

Appreciate the response, Lowering the anomaly score for certain rules is an option.

To follow up my last question - the scenario I'm exploring here isn't the requestUri itself. It's a hardcoded url that's being sent in the requestBody.

Are you aware if you can run access or regex checks on a field called 'linkToThing' that is sent in a requestBody, with a value of a hardcoded url?

Thanks.
Ravi Varma Mudduluru 2,025 Reputation points Microsoft External Staff Moderator

2025-10-06T15:27:57.65+00:00

Hello @Eddie Vincent,

Regarding your question about inspecting values in a request body, you can indeed create custom rules based on specific fields within the JSON payload. While you can't directly access fields using a regex in the same way you might in a traditional programming environment, you can utilize custom rule syntax like so:

SecRule ARGS:linkToThing "@contains ?" "id:12345, phase:2, pass, nolog"

This will allow requests if linkToThing contains the '?' character. However, remember that WAF may still inspect the request based on other rules too.

Kindly let us know if the above helps or you need further assistance on this issue.
Eddie Vincent 205 Reputation points

2025-10-09T07:45:00.3666667+00:00

@Sina Salam Thanks for the response, almost there I think, one more question if you dont mind - regarding using this with JSON or Powershell.

I can see some examples in Create and use WAF v2 custom rules on Application Gateway - Azure Web Application Firewall | Micros… of the custom rules written in JSON / Powershell.

Do you have a JSON/Powershell version corresponding to the last example (below) that would be really helpful.

SecRule ARGS:linkToThing "@contains ?" "id:12345, phase:2, pass, nolog"
Thanmayi Godithi 1,715 Reputation points Microsoft External Staff Moderator

2025-10-15T06:23:42.5966667+00:00

Hi @Eddie Vincent,

Thank you for providing the requested details over "Private message".

We will get back to you shortly.

Thanks

Thanmayi

Answer 1

Hello Eddie Vincent
I understand you're interested in creating a custom rule in the Azure Application Gateway WAF using PowerShell. Please refer to the following documents for more details:

https://free.blessedness.top/en-us/azure/web-application-firewall/ag/configure-waf-custom-rules

https://free.blessedness.top/en-us/azure/web-application-firewall/ag/create-custom-waf-rules

If you want to block a specific custom response code or body in the WAF policy settings, you can use the following resource:

https://free.blessedness.top/en-us/azure/web-application-firewall/ag/configure-custom-response-code

You can also configure single rules directly through the portal. If you need to deny a specific request body, please review the relevant scenario in the documentation and let me know your results.

User's image Based on your requirements, you can implement custom rules to block specific IP addresses by entering the IP address in the match variable field. Geo location-based blocking is also possible.

If a default rule is blocking something in your environment and you want to allow it, you can use the exclusion option.

check the below document:

https://free.blessedness.top/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

Azure WAF best practice for specific rules

1 answer

Your answer