Application Gateway WAF custom rule is not triggered if the HTTP header field is not present

%3CLINGO-SUB%20id%3D%22lingo-sub-1343291%22%20slang%3D%22en-US%22%3EApplication%20Gateway%20WAF%20custom%20rule%20is%20not%20triggered%20if%20the%20HTTP%20header%20field%20is%20not%20present%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1343291%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20this%20strange%20behavior%20on%20my%26nbsp%3BApplication%20Gateway%20WAF.%20I%26nbsp%3B%20created%20this%20custom%20rule%20(see%20image%20below)%20to%20deny%20traffic%20when%20the%20http%20request%20has%20Referer%20http%20header%20field%20empty%20or%20missing.%3C%2FP%3E%3CP%3EThe%20problem%20is%20that%20this%20rule%20is%20only%20triggered%20when%20the%26nbsp%3BReferer%20http%20header%20field%20is%20empty%20but%20not%20when%20it%20is%20missing%20%3A(%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInstead%2C%20the%20same%20custom%20rule%20is%20working%20fine%20on%20the%20front%20door%20WAF.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhy%20is%20it%20happening%3F%20Did%20I%20do%20something%20wrong%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22waf_cr.png%22%20style%3D%22width%3A%20595px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F187136iA9A2E53E98C966DF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22waf_cr.png%22%20alt%3D%22waf_cr.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1343291%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApplication%20Gateway%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EApplication%20Gateway%20WAF%20Policy%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWAF%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eweb%20application%20firewall%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1978020%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Gateway%20WAF%20custom%20rule%20is%20not%20triggered%20if%20the%20HTTP%20header%20field%20is%20not%20present%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1978020%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F361145%22%20target%3D%22_blank%22%3E%40Maxlan71%3C%2FA%3E%2C%20I%20encountered%20similar%20problem%20and%20worked%20around%20it%20by%20a%20negation.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20P2%20rule%20to%20deny%20all%20(as%20attached)%20and%20then%20you%20can%20have%20any%20P1%20rules%20to%20allow%20whatever%20with%20non%20empty%20Header%20as%20you%20like.%20Hope%20that%20help.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screen%20Shot%202020-12-10%20at%202.57.35%20PM.png%22%20style%3D%22width%3A%20508px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F239712i5F72B147DACDA5AB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Screen%20Shot%202020-12-10%20at%202.57.35%20PM.png%22%20alt%3D%22Screen%20Shot%202020-12-10%20at%202.57.35%20PM.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi Community,

 

I have this strange behavior on my Application Gateway WAF. I  created this custom rule (see image below) to deny traffic when the http request has Referer http header field empty or missing.

The problem is that this rule is only triggered when the Referer http header field is empty but not when it is missing :(

 

Instead, the same custom rule is working fine on the front door WAF.

 

Why is it happening? Did I do something wrong?

 

waf_cr.png

1 Reply

@Maxlan71, I encountered similar problem and worked around it by a negation. 

I have a P2 rule to deny all (as attached) and then you can have any P1 rules to allow whatever with non empty Header as you like. Hope that help. 

Screen Shot 2020-12-10 at 2.57.35 PM.png