Have been playing with the AAG Web Application Firewall for some time now and found what I believe to be some rather major flaws in functionality.
Mainly, the lack of ability to exclude a specific URI from certain WAF rule checks , instead it very much seems like when you add an exception via an Application Gateway WAF Policy, that it exlcudes the URI from the WAF entirely.
Anyone have any info, clues, tips or ways I have not found to exclude a certain URI from specific rule checks?
Hi @chrisbutler, thank you for your feedback! Checking with the AAG WAF team, this is on their roadmap already. For your information, we're targeting to host a webinar "Azure Network Security: Introduction to WAF" on Nov 14, 2019. Stay tuned as I will be posting registration details in a couple of weeks here on this page.