Share via

How to effectively tune Azure WAF without exhausting too many resources

Jyotirmoy Pan 0 Reputation points
2024-11-07T15:32:30.6733333+00:00

We have Azure WAF rules in prevention mode in both Azure Front Door and APIM gateway. We are facing this issue for a long term due to so many false positives blocking requests from our end users, frustrating us and users as there is no predictive pattern.

In the past the same question has been asked and the answer is to tune WAF and keep adding to exclusion list. However, on an enterprise scale this is not easy to achieve. For example, we have approximately 0K WAF blocks. Out of these 99% seem to be rightly prevented but 1% or about 100 requests are false positives. Now we then need a dedicated team just to go through these 100 requests and add them to exclusion lists. This is both exhausting and time consuming and non-sustainable.

We would like to understand if there are any solutions that can actually provide us a list of false positives and add them to exclusion lists with single point approvals instead of the entire process being manual. If not, how is Microsoft envisaging enterprises to manage this? We would need some guidance on the best practices as this has been one of our biggest pain areas around improving end user experience.

Azure API Management
Azure API Management

An Azure service that provides a hybrid, multi-cloud management platform for APIs.

Azure Front Door
Azure Front Door

An Azure service that provides a cloud content delivery network with threat protection.

Azure Firewall
Azure Firewall

An Azure network security service that is used to protect Azure Virtual Network resources.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Adnane 0 Reputation points
    2026-05-18T12:53:46.6+00:00

    I’m currently researching how Cloud/SecOps/AppSec teams handle WAF false positives in production, especially around Azure Front Door WAF and Application Gateway WAF.

    I’m not selling anything — I’m trying to understand the current workflow: how teams investigate logs, identify the triggered rule, decide whether it is a false positive, and safely apply exclusions without weakening security.

    If you’ve dealt with this kind of issue, I’d really appreciate your input through this short 3-minute survey:

    https://docs.google.com/forms/d/e/1FAIpQLSe6at7K4gvdwv1hZPp-VLO_Q0G1zTXSnf8WpjgNiAoix7gMOA/viewform?usp=header

    Happy to share aggregated learnings once I collect enough responses.

    Was this answer helpful?

    0 comments
  2. ChaitanyaNaykodi-MSFT 27,671 Reputation points Microsoft Employee Moderator
    2024-11-07T19:48:33.59+00:00

    @Jyotirmoy Pan

    Thank you for reaching out.I understand you are facing issue regarding false positive for you WAF and you wish to know if there is any solution available to tackle this problem at scale

    Based on your statements above

    We would like to understand if there are any solutions that can actually provide us a list of false positives and add them to exclusion lists with single point approvals instead of the entire process being manual. If not, how is Microsoft envisaging enterprises to manage this?

    Currently we do not have an out of the box solution for this where a list of false positives can be provided and adding them to the exclusion list.

    This great feedback and it will help if you could file this on our feedback portal here. Meanwhile I will also share this feedback with the team internally.

    If it helps you can leverage Azure WAF Rest API to automate and streamline the process of creating exclusion rules. As an example you can also use Azure Logic App to invoke the rest API as showcased here which can help tackle this problem at scale.

    We would need some guidance on the best practices as this has been one of our biggest pain areas around improving end user experience.

    As you mentioned that you are already fine tuning WAF and adding exclusion list.

    There can be additional ways using which you can avoid false positives in WAF few are discussed in this blog post here where you can use disable rule in some scenarios to avoid false positives or add specific exclusions or custom rules

    You can also go through this WAF tutorial (16.30) to understand WAF tuning basics and examples for how WAF rules are triggered for a particular request using pattern match (39.10) and see if that helps in avoiding False positive in your scenario.

    Hope this helps! Please let me know if you have any questions. Thank you!

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.