2

I have an Azure Application Gateway Web Application Firewall using the OWASP 3.0 ruleset. I created a custom policy so I could create a custom rule which simply allows traffic if it's from a specific IP Address and it has a priority of 1. This is great and I can see log entries in the firewall logs that the rule has been matched. However, I also see log entries that some of the OWASP rules have been matched as well.

My question is whether or not it is possible to prevent further rule/ruleset processing for this specific ip address?

neuro
  • 13,707
  • 3
  • 31
  • 57
devlife
  • 13,287
  • 23
  • 70
  • 126

1 Answers1

3

In WAF Application Gateway, custom policy takes precedence. So if you have a rule to allow certain IP and if that matches, the other rules of OWASP are not processed. The traffic is allowed.

This is the behavior as of today, please provide feedback in User voice if you have a different scenario.

msrini-MSIT
  • 1,185
  • 1
  • 5
  • 11
  • I don't think that's how it's working. See this query for the last 4 hours. https://imgur.com/a/EXwJqRO (sorry can't seem to paste images in comments). The image is for the last 4 hours as of this comment which is long after the custom whitelist rule was put in place. You can see more than just that rule is being logged. – devlife Apr 08 '20 at 12:51
  • do you have any thoughts on my above comment? – devlife Apr 09 '20 at 10:19
  • 1
    The action is to allow.Custom rules take priority over CRS. But you will still see the WAF logs. It is just for logging purpose. The traffic will just be allowed. – msrini-MSIT Apr 09 '20 at 10:24
  • Thank you for the clarification. – devlife Apr 13 '20 at 22:59