Forum Discussion

Maxlan71's avatar
Maxlan71
Brass Contributor
Apr 28, 2020

Application Gateway WAF custom rule is not triggered if the HTTP header field is not present

Hi Community,

 

I have this strange behavior on my Application Gateway WAF. I  created this custom rule (see image below) to deny traffic when the http request has Referer http header field empty or missing.

The problem is that this rule is only triggered when the Referer http header field is empty but not when it is missing 😞

 

Instead, the same custom rule is working fine on the front door WAF.

 

Why is it happening? Did I do something wrong?

 

  • lo_ed's avatar
    lo_ed
    Copper Contributor

    Maxlan71, I encountered similar problem and worked around it by a negation. 

    I have a P2 rule to deny all (as attached) and then you can have any P1 rules to allow whatever with non empty Header as you like. Hope that help. 

Resources