You may already know that Azure offers a Web Application Firewall capability.
Until now, you were not able to define request attributes exclusions list to be omitted from the WAF evaluation process.
Well, good news, this is now possible.
The attribute supported for the exclusion:
- request header,
- query string,
- post args
To define your exclusions, you can use either PowerShell, Azure Cli or the administration portal.
New-AzFrontDoorWafManagedRuleExclusionObject –Variable <RequestHeaderNames, RequestCookieNames, QueryStringArgNames or RequestBodyPostArgNames> -Operator <operator – like equals, equalsany…> –Selector <pattern to match if the operator is not equalsany>
From the portal
Access the WAF you want to configure the exclusion and then access the Managed Rules blade, available under the Settings section
There you can click on Manage exclusion available in the toolbar
And then you can define your exclusion rule