Forum Discussion
How to troubleshoot if a cookie is being sent to application gateway with each and every request
I have a rule on WAF policy associated with application gateway with a rule (set as topmost rule) to allow traffic if a particular cookie is sent with the request. But we are seeing some requests that are not hitting that rule and instead hitting different rule and thus getting blocked. My thinking is that the cookie is not being sent by the application in that request, although the developer says that it should be sent with each request. How can I log enough detail on application gateway to see if a cookie was really sent with the request that was blocked or not.
1 Reply
The easiest way to confirm whether the cookie is actually reaching Application Gateway is to enable Access Logs and WAF Logs.
In the access logs you can inspect requestHeaders — the App Gateway logs the full header set it receives, including cookies.If the cookie does not appear in the logs, then the application is not sending it, regardless of what the client or developer expects.
If the cookie does appear but the request still hits a different rule, check the rule evaluation order inside the WAF policy. A broader “match” rule earlier in the chain can override the cookie-based allow rule.
Enabling ApplicationGatewayFirewallLog diagnostics will also show exactly which rule triggered and why.
