Azure WAF - Replication of Request flagged by Microsoft Default Ruleset

Question

Azure WAF - Replication of Request flagged by Microsoft Default Ruleset

Gerald Tan 0

Hi All,

Seeking for guidance on how i can replicate the request sent into the AGW that is triggering the Microsoft_DefaultRuleSet.

I have replicated using the same RequestURI and the Body but my request triggered from Postman does not trigger any of the rules from Microsoft_DefaultRuleSet

Alternatively am i able to exclude these rules based on RequestURI and or ClientIP ?

User's image

Adam Zachary 2,025 Reputation points

2025-11-26T03:32:37.3366667+00:00
I’ve run into this many times, and it’s normal that you can’t reproduce the WAF block from Postman even when using the same URI and body.

Azure WAF evaluates the raw HTTP traffic exactly as it arrived on the gateway. When the request came from the original client, it likely included things Postman won’t recreate, such as:

The original encoding or escaping of characters

Hidden headers

The exact payload formatting

Anomaly score accumulation from multiple requests in the same session

That’s why WAF matched the Microsoft_DefaultRuleSet rules but your replay does not.

If your goal is to prevent false positives, yes, you can exclude rules, but only at the WAF policy level. You can exclude by:

Request URI path

Client IP

Request header, cookie, or body element

Go to: WAF Policy → Managed rules → Rule exclusions.

If these requests are legitimate traffic from a known source, excluding the specific rule IDs (941100, 942260, etc.) by path or by client IP is the safest and most controlled workaround

1 answer

Your answer

Adam Zachary 2,025 Reputation points

2025-11-26T03:32:37.3366667+00:00

I’ve run into this many times, and it’s normal that you can’t reproduce the WAF block from Postman even when using the same URI and body.

Azure WAF evaluates the raw HTTP traffic exactly as it arrived on the gateway. When the request came from the original client, it likely included things Postman won’t recreate, such as:

The original encoding or escaping of characters

Hidden headers

The exact payload formatting

Anomaly score accumulation from multiple requests in the same session

That’s why WAF matched the Microsoft_DefaultRuleSet rules but your replay does not.

If your goal is to prevent false positives, yes, you can exclude rules, but only at the WAF policy level. You can exclude by:

Request URI path

Client IP

Request header, cookie, or body element

Go to: WAF Policy → Managed rules → Rule exclusions.

If these requests are legitimate traffic from a known source, excluding the specific rule IDs (941100, 942260, etc.) by path or by client IP is the safest and most controlled workaround

Answer 1

Hi @Gerald Tan,

Thanks for reaching out on Microsoft Q&A forum.

I understand that you want to replicate the requests flagged by Microsoft Default Ruleset.

Even if you reuse the same RequestURI and body, the original WAF match might depend on additional factors such as:

HTTP method, headers (for example User-Agent, cookies, custom headers), or query-string parameters.
Encodings or special characters (URL encoding, JSON structure, multipart form data).
The exact Microsoft Default Rule Set version and specific rule ID that was triggered.

To accurately replicate the request:

1.Check the WAF logs (ApplicationGatewayFirewallLog) for the original event and note:

Rule set and version (for example, Microsoft_DefaultRuleSet_2.1 or similar).
Rule ID and rule group.
Matched variable (RequestUri, RequestBody, RequestHeader, etc.).
Full request details (method, URI, query string, headers, body).
Web Application Firewall DRS and CRS rule groups and rules

2.Rebuild the request in Postman to match all of those details.

There are two main approaches, depending on what exactly you want to exclude.

1.Exclude specific request attributes for certain rules (recommended when possible):

In your WAF policy, go to “Managed rules” → “Add exclusions”.
Choose the rule set and rule(s) to apply the exclusion to (for example, the specific MDRS rule ID that is firing).
Configure exclusions based on supported match variables such as:Request header name/value, Request cookie name/value,Request attribute name (form field, JSON property, query-string parameter)
These exclusions are attribute-based, not URI/IP-based.
Web Application Firewall exclusion lists

2.Use a custom rule to bypass MDRS for certain URIs or IPs:

Create a custom WAF rule in the same WAF policy with:
Match variable: RequestUri (for example, “Contains” or “BeginsWith” “/your/path”).
Or match variable: RemoteAddr for a specific client IP or range.
- Action: Allow.
Custom rules are evaluated before the managed rules; if the custom rule matches and allows, MDRS rules are not evaluated for that request.
Exclude/exempt specific IP from WAF managed rules

In this way you can exempt specific RequestURI patterns or client IPs from managed rule processing, even though MDRS itself does not allow you to attach exclusions directly to ClientIP or RequestURI.

Kindly let us know if the above helps or you need further assistance on this issue.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Gerald Tan 0 Reputation points

2025-11-26T05:33:06.0233333+00:00

@Adam Zachary
Thanks for your response. I am looking at the exclusions at the moment and do not see requestURI as an option. The sender is whitelisted through custom rules so technically they are a trusted sender at this point

@Thanmayi Godithi

Thanks for the response. The current sender is allowed via Custom Rules via https://myurlhere.com and MDRS applies to their request.

Can you confirm if MDRS can be skipped if i apply "Match variable: RequestUri (for example, “Contains” or “BeginsWith” “/your/path”)." ?
Thanmayi Godithi 2,215 Reputation points Microsoft External Staff Moderator

2025-11-26T10:23:42.6866667+00:00

Hi @Gerald Tan,

As per this document:https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview

So, I can confirm that MDRS will not be enforced once a custom policy is executed.

Also, in WAF exclusions,you will not see a requestURI as an option instead you can achieve your goal with specific rule ID's.You can view those ID's in WAF logs.

Refer the below document for better understanding.

https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Upvote" if the information helped you. This will help us and others in the community as well.
Gerald Tan 0 Reputation points

2025-11-27T01:38:55.8+00:00

@Thanmayi Godithi

There could be an update since the article was written. Given that custom rules were applied to allow traffic, the default rule set did kick in to make it a 403 Forbidden request. I was unable to limit the disabling of certain rules to that one particular listener, so we tried to setup a secondary WAF rules to apply these rules so that these disabled default rule set will only apply to the one listener that we need it for.

Am still testing it out. Do you by any chance know how much it would cost me to run a secondary WAF instance?
Thanmayi Godithi 2,215 Reputation points Microsoft External Staff Moderator

2025-11-27T10:09:44.27+00:00

Hi @Gerald Tan,

Could you please share the additional details requested over "Private message".

Also you can try using WAF exclusions with specific rule ID's to allow traffic.

Application Gateway WAF_v2 is billed per gateway-hour and per capacity unit-hour. Each gateway instance incurs the same fixed fee.

Thanks,

Thanmayi

Share via

Azure WAF - Replication of Request flagged by Microsoft Default Ruleset

1 answer

Your answer