How do I configure the Azure Application Gateway / backend pool to drop requests that are blocked by the WAF as the log file indicate the request was blocked but the script ends up in the database.

Derek Green 0

requests blocked by the WAF are being forwarded to the backend API servers. How do you configure the backend pool or WAF to drop requests that are blocked by the WAF.

1 answer

ChaitanyaNaykodi-MSFT 23,816 Reputation points Microsoft Employee

2024-05-17T01:09:56.5766667+00:00
@Derek Green

Thank you for reaching out.

I understand you wish to drop the request when they are blocked by the WAF.

You achieve this by setting the WAF in prevention mode and then modifying the action to Block as shown in the screenshot below.

As documented here

Block: The request is blocked and WAF sends a response to the client without forwarding the request to the back-end.

Hope this helps! Please let me know if the issue still persists. Thank you!
Please sign in to rate this answer.
Derek Green 0 Reputation points

2024-05-17T13:46:02.33+00:00

Thank you for your response, much appreciated.

However we use the anomaly score method otherwise there would be a lot more issues in the WAF for things like missing request headers so it does not seem practical in our environment and will yield the same result as outlined below.

We are getting the following results:

Customer record is edited and to test we insert a script into one of the address fields.

The WAF gives a message in the logs stating that the request was blocked because it picked up the script.

We go back into the customer record and the script is in the address field.

What I am struggling with is why if the WAF reports the request as blocked and the script still ends up in the database.

Using ChatGPT it made the following comment:

"Check the WAF configuration to ensure that it is set to block and terminate the connection for requests that violate the defined rules."

Is this a separate setting in Azure WAF do you know other than changing the ruleset to block? (which the WAF is doing anyway) or any other comments would be highly appreciated if someone has experienced the same WAF behaviour.

Thanks.

DEREK

ChaitanyaNaykodi-MSFT 23,816 Reputation points Microsoft Employee

2024-05-23T19:51:31.8566667+00:00

@Derek Green

Thank you for getting back and apologies for the delayed response here.

Based on your question above.

The WAF gives a message in the logs stating that the request was blocked because it picked up the script. We go back into the customer record and the script is in the address field. What I am struggling with is why if the WAF reports the request as blocked and the script still ends up in the database.

As you have set the WAF action anomaly score method, so ideally as documented here the action in WAF logs should be "Matched". If the action states "Blocked" the request should be blocked

I think a support request will be required in this case as support engineer can take a the backend logs and determine the root cause. If you have a support plan you may file a support ticket, else could you please refer to my private message here. Thanks!

Derek Green 0 Reputation points

2024-05-24T10:08:43.76+00:00

Thanks I appreciate your feedback.

I think I will need to find a way to raise a ticket with support. As the anomaly score threshold was reached and the request was blocked I would have thought this action would terminate the connection and not post to the database. I would assume that if I change the actions under the rules to block this would cause quite a nightmare to administer. The funny thing is we have another domain being managed by the same WAF and the behaviour is as expected and nothing gets posted to the database.

It doesn't make sense to me.

ChaitanyaNaykodi-MSFT 23,816 Reputation points Microsoft Employee

2024-05-28T15:39:54.6866667+00:00

@Derek Green

Thank you for getting back. Please share the support ticket number with us in the private message for our tracking purposes. Thank you!
Sign in to comment

Share via

How do I configure the Azure Application Gateway / backend pool to drop requests that are blocked by the WAF as the log file indicate the request was blocked but the script ends up in the database.

1 answer