Recent Discussions
New Blog Post | Enhancements to Azure WAF for Application Gateway now in General Availability
Enhancements to Azure WAF for Application Gateway now in General Availability - Microsoft Community Hub Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection for your web applications against common vulnerabilities and exploits. Web applications are increasingly targeted by malicious attacks that vulnerabilities. SQL Injection (SQLi) and Cross-Site Scripting (XSS) are examples of some well-known attacks. Preventing such attacks in application code can be challenging and may require rigorous maintenance, patching, and monitoring at many layers of the application topology. A centralized web application firewall helps make security management much simpler and gives better assurance to application developers and security teams against threats or intrusions. The Azure Web Application Firewall (WAF) engine is the component that inspects traffic and determines whether a web-request represents a potential attack, then takes appropriate action depending on the configuration. Previously, when you used the Azure WAF with Application Gateway, there were certain limitations in the way you could configure and monitor your WAF deployments. We are happy to announce several enhancements to the configurations and monitoring capabilities of Azure WAF when used with Azure Application Gateway going forward.
How to disable WAF mandatory rule or add an exception to the rule
Hi All, A website is getting blocked when I enable WAF in Prevention mode, and log says "Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 5)" but not able to see policy rule 949110 to disable or add an exception. Is there any way to solve this?SEP 26, 2023 | Ask-Me-Anything | Azure Firewall, Azure WAF and Azure DDoS
UPDATED, post-AMA: Here is the AMA recording in case you missed the live session. ************************************************************* Please join us in this Ask Me Anything session with the Azure Network Security CxE PM team. During this session, the Azure Network Security SME (Subject Matter Experts), will answer your questions on Azure Firewall, Azure Firewall Manager, Azure Web Application Firewall and Azure DDoS. This will be a great forum for our Public Community members to learn, interact and have their feedback listened to by the Azure Network Security team. Feel free to post your questions about Azure Network Security solution areas anytime in the comments before the event starts. The team will be answering questions during the live session, with priority given to the pre-submitted questions from the comments below. If you are new to Microsoft Tech-Community, please follow the sign-in instructions. To register for the upcoming live AMA Sep 26, 2023, visit aka.ms/SecurityCommunity. Mohit_Kumar andrewmathu SaleemBseeu davidfrazee ShabazShaik tobiotolorin gusmodenaAzure Firewall Public IP and DDoS protection
Hi, We have a zero trust network setup where we use Azure Firewall Standard Edition with hub/spoke model, there is mandatory requirement to assign few Public IP addresses to the firewall, we have included these assigned public IP addresses to a DDoS plan as well. There is no ingress in this environment (It is backend message processing system which does not need any internet / frontend web APIs). As we are running this in production, we see many DDoS mitigation alerts on firewall Public IPs. We are thinking of reducing cost and removing DDoS protection plan because only resources that are the plan are firewall's public IP addresses, hence the questions are: 1. how the azure firewall will behave if assigned public IPs are not included in DDoS protection plan? 2. Do azure firewall internally have bult in mechanism to defend against DDoS attacks on its public IPs 3. Is there standard recommendation that when Azure firewall is deployed, customers also must use DDoS plan?
Web Application Firewall in Prevention Mode
Hi Team, My application is a ASP.NET web application built on standard .NET Framework features. It works well when Web App Firewall (WAF) is off or set to “Detection”. However, once the WAF set to “Prevention”, most requests to the web servers (both internet and intranet) will be blocked. Can I have your advice on what to be set on the firewall rule to resolve this?
Limit of WAF Exclusion
Hi, @camilamartins @tobiotolorin, All, Based on the Link, https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#application-gateway-limits there is a limit of 40 exclusions per Application Gateway. But does it apply to the URI-based WAF policy as well? To explain more, we've 10+ applications Passing via application Gateway. The idea is to have a separate WAF policy for each application with Fine-tuning. We expect at least 10+ in each WAF policy (Applied at URI) does it add up to the application gateway, or if the limit applies to the policy set at the application gateway level? Appreciate your inputs !Security Community | Private Preview form short link correction
This is just a quick update on the short-link to the Private Preview form. The correct link is https://aka.ms/SecurityPrP. You can apply to join our private preview program, where you can get early access to changes in exchange for your feedback, and review our product roadmap. Thank you and I apologize for the inconvenience caused by the old broken link.
Unable to block my website in specific countries with Azure WAF custom rulea
Hi All, Recently I got a requirement from my client to block the access of the website from specific countries. I've gone through lot of documentation over the Internet and found that we can use restrict access by blocking IP ranges and Azure WAF custom rules. I've created custom rules because I had to block almost 60 countries. But that is not working somehow. Can anyone help me on this?
New Blog Post | Role Based Access Control for Azure Firewall
Role Based Access Control for Azure Firewall - Microsoft Tech Community In this article, we discuss the actions that may be used to create security conscious roles and templates that you can use to create and assign roles for Azure Firewall. Once you understand the boundaries for the role you are trying to create, you can use the template below or modify it by carefully selecting the actions required and assigning it to the user. There are various levels of administrative roles you might be looking to assign, and this may be done at a management group level, subscription level, resource group level or resource level. Azure RBAC focuses on managing user actions at these different scopes.Azure WAF Security Protection and Detection Lab now Available
Azure Web Application Firewall Security Protection and Detection Lab is now available. The intent of this lab is to allow customers to easily test and validate the security capabilities of Azure WAF against common web application vulnerabilities/attacks. A significant amount of work has been put into developing the lab environment and the playbooks for our customers, and we are incredibly proud of the teamwork, collaboration, and support throughout the various stages of the process. The lab is now available on Azure Tech Community blog space and is organized in 5 sections. The step by step instructions in the lab allows anyone to rapidly deploy the lab environment and test Azure WAF’s protection capabilities against common web application attacks such as Reconnaissance, Cross-Site Scripting, and SQL Injection with no or minimal know-how of offensive security testing methodology. The lab also demonstrates how to use Azure WAF Workbook to understand how WAF handles malicious traffic and payloads. Click here for a Tutorial Overview an introduction to the testing framework used in the lab, and the four-part instructions one the lab setup.
New Blog | Intrusion Detection and Prevention System (IDPS) Based on Signatures
An Intrusion Detection and Prevention System (IDPS) is a vital component of modern cybersecurity strategy, designed to safeguard networks by actively monitoring and responding to potential security threats. Among the types of IDPS currently available such as signature-based and anomaly-based, signature based IDPS stands out as a reliable and efficient method for identifying known security risks. This blog delves into signature-based IDPS, with a specific focus on the Azure Firewall Premium IDPS. Read the full blog post here: Intrusion Detection and Prevention System (IDPS) Based on Signatures - Microsoft Community HubAzure WAF - Resources for understanding policies
I am looking for some guidance around setting up the WAF including suitable exclusions. The issue I am running into is the documentation does not identify why something was triggered. For example, I know the http header Referrer contains something that is triggering XSS. I believe it is because in the url there are the two characters "on" in the endpoint "https://mysite.com/onecode?para1=test¶2=fred", but I am just making an educated guess. I would then think I would create an exclusion to say do not trigger if the url contains "onecode". That is not really good enough though as what if the url contains onecode and another occurrence of "on" that should trigger XSS (for example in one of the parameters). I would think everyone would have this issue so I am surprised I did not find anything in docs or Architecture Centre.New Blog Post | Text4Shell RCE vulnerability: Protecting against and detecting CVE-2022-42889
Text4Shell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-42889 - Microsoft Community Hub Similar to the Spring4Shell and Log4Shell vulnerabilities, a new critical vulnerability CVE-2022-42889 aka Text4Shell was discovered on October 13, 2022. Text4Shell is a vulnerability in the Java library Apache Commons Text. This vulnerability, in specific conditions, allows an attacker to execute arbitrary code on the victim's machine (Remote Code Execution or "RCE"). Customers can detect and protect their resources against Text4Shell vulnerability using Azure native network security services, Azure Firewall Premium and Azure Web Application Firewall (WAF). You can utilize one of these services or both for multi-layered defense. Customers using Azure Firewall Premium, and Azure WAF have enhanced protection for this RCE vulnerability from the get-go. Customers can protect their assets by upgrading their Apache Commons Text version to the patched version 1.10. However, there are situations when upgrading software is not an option or may take a long period of time. In such case, they can use products like Azure Firewall Premium and Azure WAF for protection. Original Post: New Blog Post | Text4Shell RCE vulnerability: Protecting against and detecting CVE-2022-42889 - Microsoft Community HubNew Blog | Taking Azure Firewall IDPS on a Test Drive
Written by Gopikrishna Kannan (Head of Products: Azure Firewall and Firewall Manager) Intrusion detection and prevention (IDPS) is an advanced threat prevention mechanism supported by the Azure Firewall Premium SKU. Unlike simple network filtering, IDPS matches traffic patterns to a set of known malicious signatures. Azure Firewall supports more than 60,000 malicious signatures which are updated in real time. These signatures apply when malicious patterns are detected under the right conditions. The conditions include traffic direction (inbound or outbound) and network scope (private network or public network). Below are examples to validate IDPS configuration in your environment. Read the full blog here: Taking Azure Firewall IDPS on a Test Drive - Microsoft Community Hub
Recent Blogs
- With the adoption of the NIS2 Directive EU 2022 2555, cybersecurity obligations for both public and private sector organizations have become more strict and far reaching. NIS2 aims to establish a hig...Sep 26, 2025
- The internet’s transport layer is undergoing one of its most significant evolutions in decades. QUIC (Quick UDP Internet Connections) — the protocol underpinning HTTP/3 — is rapidly becoming the defa...Sep 24, 2025
