![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 88%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,063 questions
Hello @VS ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to ignore specific OWASP rules for a specific URL endpoint in your Azure WAF v2 associated with your Application gateway.
You can use Web Application Firewall Policies which contain all the WAF settings and configurations. This includes exclusions, custom rules, managed rules, and so on. WAF policy associations are only supported for the Application Gateway WAF_v2 SKU.
Azure Web Application Firewall (WAF) policy can be associated to an application gateway (global), a listener (per-site), or a path-based rule (per-URI) for them to take effect. It can be associated with any combination of application gateways, listeners, and path-based rules. So, there are 3 types of WAF policy associations:
- Global WAF policy: When you associate a WAF policy globally, every site behind your Application Gateway WAF is protected with the same managed rules, custom rules, exclusions, and any other configured settings.
- Per-site WAF policy: With per-site WAF policies, you can protect multiple sites with differing security needs behind a single WAF by using per-site policies.
- Per-URI policy: For even more customization down to the URI level, you can associate a WAF policy with a path-based rule.
By default, with WAF policies, more specific policies override less-specific ones. This means a per-URI policy on a URL path map overrides any per-site or global WAF policy above it. If there's a global policy, and a per-site policy (a WAF policy associated with a listener), then the per-site policy overrides the global WAF policy for that listener. Other listeners without their own policies will only be affected by the global WAF policy.
Refer: https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/policy-overview
https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/per-site-policies
So, you can associate different WAF policies to your listeners or path-based rule and disable the specific OWASP rule or create exclusions/custom rules for that specific listener or path-based rule.
For example: If you have 2 sites - abc.com and xyz.com behind your Application gateway WAF v2 and you have a policy XYZ associated to the whole application gateway and there is another WAF policy ABC associated with the abc.com listener, then your site abc.com will use policy ABC and xyz.com will use policy XYZ, without being affected by policy ABC. In this way, you can ignore specific QWASP rule for a specific URL endpoint by configuring the required settings within the associated WAF policy.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.