Introduction

Azure Application Gateway Web Application Firewall (WAF) protects applications from common web exploits using OWASP Core Rule Set. When WAF rules are too strict or misconfigured, legitimate traffic gets blocked, causing 403 Forbidden errors for valid users.

Symptoms

WAF blocking legitimate requests:

```bash $ curl -X POST https://app.example.com/api/users \ -H "Content-Type: application/json" \ -d '{"user":"admin","role":"manager"}'

HTTP/2 403 Forbidden {"Message":"Request blocked by Web Application Firewall"} ```

Firewall log showing blocked request:

json
{
  "resourceId": "/SUBSCRIPTIONS/.../APPLICATIONGATEWAYS/my-agw",
  "properties": {
    "ruleId": "942100",
    "message": "SQL Injection Attack Detected",
    "action": "Blocked",
    "details": "Matched Data: admin"
  }
}

Application insights showing 403 errors:

```bash $ az monitor activity-log list --resource-group my-rg --caller WAF

# Shows multiple 403 responses from Application Gateway ```

Common Causes

  1. 1.Overly sensitive rules - OWASP rules detect false positives
  2. 2.Missing rule exclusions - No exclusion for specific request paths
  3. 3.Detection mode enabled - WAF in prevention mode blocking traffic
  4. 4.Request body contains keywords - SQL keywords trigger injection rules
  5. 5.Missing allowlist - IP restrictions or bot protection too strict
  6. 6.Custom rules too broad - Custom WAF rules matching legitimate traffic
  7. 7.OWASP version mismatch - Different behavior between CRS versions

Step-by-Step Fix

  1. 1.Check logs for specific error messages
  2. 2.Verify configuration settings
  3. 3.Test network connectivity
  4. 4.Review recent changes
  5. 5.Apply corrective action
  6. 6.Verify the fix

Step 1: Check WAF Configuration

```bash # Get Application Gateway WAF policy az network application-gateway waf-policy show \ --name my-waf-policy \ --resource-group my-rg \ --query '{PolicySettings:policySettings,CustomRules:customRules}'

# Check WAF mode # Prevention: Blocks malicious requests # Detection: Logs only, doesn't block ```

Step 2: Review WAF Logs for Blocked Requests

# Identify which rule is blocking traffic # Common false positive rules: # - 942100: SQL Injection # - 941100: XSS Attack # - 920300: Request Missing Accept Header ```

Step 3: Switch to Detection Mode for Testing

```bash # Temporarily switch to detection mode az network application-gateway waf-policy policy-setting update \ --policy-name my-waf-policy \ --resource-group my-rg \ --mode Detection

# Monitor logs without blocking users # Confirm which rules trigger false positives ```

Step 4: Create Rule Exclusion for Specific Path

```bash # Exclude specific path from WAF rules az network application-gateway waf-policy exclusion add \ --policy-name my-waf-policy \ --resource-group my-rg \ --name "Exclude-Api-Users" \ --match-variable "RequestUri" \ --selector-match-operator "Contains" \ --selector "/api/users"

# Exclude specific request body attribute az network application-gateway waf-policy exclusion add \ --policy-name my-waf-policy \ --resource-group my-rg \ --name "Exclude-User-Field" \ --match-variable "RequestBodyJsonArgNames" \ --selector-match-operator "Equals" \ --selector "user" ```

Step 5: Disable Specific OWASP Rule

```bash # Disable specific rule that causes false positives az network application-gateway waf-policy managed-rule override add \ --policy-name my-waf-policy \ --resource-group my-rg \ --rule-group-id "REQUEST-942-APPLICATION-ATTACK-SQLI" \ --rule-id 942100 \ --action LogOnly # Changed from Block to LogOnly

# Disable entire rule group (use sparingly) az network application-gateway waf-policy managed-rule override add \ --policy-name my-waf-policy \ --resource-group my-rg \ --rule-group-id "REQUEST-942-APPLICATION-ATTACK-SQLI" \ --action Disabled ```

Step 6: Adjust OWASP Sensitivity

```bash # Check current OWASP configuration az network application-gateway waf-policy managed-rule show \ --policy-name my-waf-policy \ --resource-group my-rg \ --type OWASP \ --version 3.2

# Lower rule set version for fewer false positives # CRS 3.0: More false positives # CRS 3.2: Better tuned, fewer false positives # CRS 3.3: Most current, best balance az network application-gateway waf-policy managed-rule update \ --policy-name my-waf-policy \ --resource-group my-rg \ --version 3.2 ```

Step 7: Configure Custom Rules for Allowlist

```bash # Create custom rule to allow specific IPs az network application-gateway waf-policy custom-rule create \ --policy-name my-waf-policy \ --resource-group my-rg \ --name "Allow-Trusted-IPs" \ --priority 100 \ --action Allow

# Add condition to custom rule az network application-gateway waf-policy custom-rule match-condition add \ --policy-name my-waf-policy \ --resource-group my-rg \ --name "Allow-Trusted-IPs" \ --match-variable RemoteAddr \ --operator IPMatch \ --values "10.0.0.0/8" "192.168.0.0/16" ```

Step 8: Review Application Gateway Metrics

```bash # Check WAF metrics az monitor metrics list \ --resource /subscriptions/SUB_ID/resourceGroups/my-rg/providers/Microsoft.Network/applicationGateways/my-agw \ --metric "TotalRequests" "BlockedRequests" "FailedRequests" \ --interval PT1H

# High blocked requests ratio indicates over-blocking ```

Step 9: Test WAF Rules

```bash # Test specific rule with curl # SQL injection test (should be blocked) curl -X GET "https://app.example.com/search?q=1' OR '1'='1"

# Normal request (should pass) curl -X GET "https://app.example.com/search?q=normal-search-term"

Step 10: Switch Back to Prevention Mode

```bash # After tuning, re-enable prevention mode az network application-gateway waf-policy policy-setting update \ --policy-name my-waf-policy \ --resource-group my-rg \ --mode Prevention

WAF Rule Categories Reference

Rule SetCategoryIDs
OWASP CRS 3.xSQL Injection942xxx
OWASP CRS 3.xXSS941xxx
OWASP CRS 3.xRCE932xxx
OWASP CRS 3.xLFI930xxx
OWASP CRS 3.xRFI931xxx

Verification

```bash # Test legitimate request passes curl -X POST https://app.example.com/api/users \ -H "Content-Type: application/json" \ -d '{"user":"admin","role":"manager"}'

# Should return 200 or expected response

  • [Fix Azure Backend Pool Not Resolving](/articles/fix-azure-backend-pool-not-resolving)
  • [Fix Azure SSL Policy Too Strict](/articles/fix-azure-ssl-policy-too-strict)
  • [Fix Azure Load Balancer Probe Failing](/articles/fix-azure-load-balancer-probe-failing)
  • [Technical troubleshooting: Fix Azure Aks Pod Crashloopbackoff Issue in Azure](azure-aks-pod-crashloopbackoff)
  • [Technical troubleshooting: Fix Azure Api Management Policy Expression Runtime](azure-api-management-policy-expression-runtime-error)
  • [Technical troubleshooting: Fix Azure App Configuration Feature Flag Not Refre](azure-app-configuration-feature-flag-not-refreshing)
  • [Technical troubleshooting: Fix Azure App Service 503 Always On Disabled Issue](azure-app-service-503-always-on-disabled)
  • [Technical troubleshooting: Fix Azure Application Gateway Err SSL Unrecognized](azure-application-gateway-err-ssl-unrecognized-name-alert)

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix Azure Application Gateway WAF Blocking Legitimate Traffic", "description": "Troubleshoot Azure Application Gateway WAF false positives. Configure rule exclusions and tune detection for legitimate traffic.", "url": "https://www.fixwikihub.com/fix-azure-application-gateway-waf-blocking", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-02T04:55:24.758Z", "dateModified": "2026-04-02T04:55:24.758Z" } </script>