Azure Application GW WAF custom rule not working

Question

I have an App GW WAF v2 where I need to set up a custom rule to check for the presence of a Request Header. I couldn't get it to work. So next I set up a very simple check.

"customRules":[{
    "name":"blockTEST",
    "priority":1,
    "ruleType":"MatchRule",
    "matchConditions":
    [{"matchVariables":
        [{"variableName":"RequestHeaders","selector":"My-Header"}],
        "operator":"Contains",
        "negationConditon":false,
        "matchValues":["evil"],
        "transforms":["Lowercase"]
    }],
    "action":"Block"
}]

I am submitting a request with "My-Header" as a header and with the value of "evil". But it doesn't block it. Have also tried various comparison operators including Starts With, Contains, Equals, ... but nothing works

So far the only custom rule that works is when I set a Block based on IP. But thats not what I want.

Any suggestions? Jake.

Answer 1

I tried to reproduce the same in my environment and got the results successfully like below:

I created application gateway WAF v2 and created a sample custom rule like below:

When I check the request of my header it blocks succcessfully like below:

$variable = New-AzApplicationGatewayFirewallMatchVariable `
   -VariableName RequestHeaders `
   -Selector User-Agent

$condition = New-AzApplicationGatewayFirewallCondition `
   -MatchVariable $variable `
   -Operator Regex `
   -MatchValue "evilbot" `
   -Transform Lowercase `
   -NegationCondition $False

$rule = New-AzApplicationGatewayFirewallCustomRule `
   -Name blockEvilBot `
   -Priority 2 `
   -RuleType MatchRule `
   -MatchCondition $condition `
   -Action Block

   $policy = New-AzApplicationGatewayFirewallPolicySetting -Mode "Prevention"
$wafPolicy = New-AzApplicationGatewayFirewallPolicy -Name <PolicyName>  -ResourceGroup <RGNAME> -Location eastus -CustomRule $rule 

If rule are not work properly try to check the WAF policy is linked to the appropriate listener of your Application Gateway like below:

• Make sure on Priority determines the order of rule value the acceptable range is between 1 and 100. The rule is evaluated early when the value is lower.
• Each custom rule must have a different value. Priority 40 rules are reviewed before priority 80 rules.
• Make sure the header value is exactly "evil" (case insensitive) and rid of any leading or trailing spaces or other characters.

References:

Application Gateway WAF v2 Custom Rules by Yannic Graber

Azure Application Firewall (WAF) v2 custom rules on Application Gateway | Microsoft Learn