Share via

Azure FD Premium w/ WAF Custom Exclusion Rule Not Working

Michael Paterson 0 Reputation points
2025-11-20T19:44:36.44+00:00

I have an Azure Front Door Premium instance with a WAF in Prevention Mode and Enabled. I created a simple exclusion rule to block traffic coming from my ip address but it is not blocking the traffic. I tried creating a support request but it just kept pushing me here. Not sure why given I pay for support.

Anyhow, I've tried all different kinds of things but it seems like traffic isn't actually being routed through the WAF.

Any thoughts?

Azure Web Application Firewall
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vallepu Venkateswarlu 6,045 Reputation points Microsoft External Staff Moderator
    2025-11-27T11:24:25.1766667+00:00

    Hello @Michael Paterson,

    Welcome to Microsoft Q&A Platform.

    The Azure-managed Default Rule Set in the Application Gateway Web Application Firewall actively protects web applications from common vulnerabilities and exploits. These rule sets, managed by Azure, are updated as needed to guard against new attack signatures.

    User's image

    To block traffic from a specific IP, you can create a custom rule in WAF. Custom rules have higher priority than the rules in the managed rule sets.

    You can create a custom rule in WAF by navigating to: Front Door WAF Policy → Custom Rules → Add Custom Rule

    User's image

    Once the custom rule is created, make sure the WAF policy is associated with your Front Door, and ensure that the WAF policy mode is set to Prevention.

    Ref Configure Azure Front Door logs to configure Diagnostic.

    User's image

    Note: After completing all the configurations, wait 5 minutes for the changes to propagate.

    If it is still not working, check the AzureDiagnostics logs for Azure Front Door using a KQL query.

    AzureDiagnostics  
| where Category contains "FrontDoorWebApplicationFirewallLog"

    Result:
    User's image

    Final result of AFD endpoint URL:

    User's image

    Kindly let us know if the above helps or you need further assistance on this issue.

     

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  2. Anonymous
    2025-11-20T20:45:11.28+00:00

    Hello @Michael Paterson,

    Welcome to Microsoft Q&A Platform.

    I understand your question about you are experiencing issues with your Azure Front Door policies not blocking any traffic, even though they are configured in Prevention mode

    The Azure-managed Default Rule Set in the Application Gateway Web Application Firewall actively protects web applications from common vulnerabilities and exploits. These rule sets, managed by Azure, are updated as needed to guard against new attack signatures

    User's image

    Here are steps block your IP:

    1. Go to your WAF policy in the Azure portal and navigate to Custom rules → Add custom rule.
    2. Create a rule with these settings:
      1. Match variable: RemoteAddr (this represents the client’s original IP address)
        • Operator: Equals
        • Match value: Your public IP address
        • Action: Block
          • Priority: Set a low number such as 1 to ensure it is evaluated early 
                        - __Status:__ Enabled
          ```1. Save and deploy the policy.
    3. Verify that the WAF policy is correctly associated with your Front Door frontend endpoint or route.
    4. Confirm the policy is Enabled and set to Prevention mode.
    5. Access your site only via the Front Door hostname or custom domain to ensure traffic passes through the WAF.

    If configured correctly, requests from your blocked IP will receive a 403 Forbidden response.

    For more details:

    What is Azure Web Application Firewall on Azure Front Door? | Microsoft Learn

    Web Application Firewall (WAF) on Azure Front Door | Microsoft Learn

    Kindly let us know if the above helps or you need further assistance on this issue.

    0 comments
  3. Q&A Assist
    2025-11-20T19:44:58.09+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    It sounds like you're experiencing issues with your WAF exclusion rule not functioning as expected. Here are a few things to consider:

    1. Ensure Traffic is Routed Through WAF: Verify that your Azure Front Door is correctly configured to route traffic through the WAF. If traffic is not passing through the WAF, the exclusion rules will not apply. You can check the routing configuration in your Azure Front Door settings.
    2. Review Exclusion Rule Configuration: Double-check the configuration of your exclusion rule. Make sure that the rule is set up correctly to match the traffic you intend to exclude. If the match conditions are not accurately defined, the rule may not trigger as expected.
    3. Logging and Monitoring: Utilize the logging features of the WAF to monitor incoming requests and see if your IP address is being logged. This can help determine if the requests are being processed by the WAF and if the exclusion rule is being evaluated.
    4. Testing in Prevention Mode: Since you are in Prevention Mode, ensure that the WAF is actively blocking requests as intended. If you have made changes to the WAF configuration, it might be beneficial to test the setup thoroughly to confirm that it behaves as expected.
    5. Custom Rules: If the exclusion rule is not working, consider creating a custom rule that explicitly allows requests from your IP address. Custom rules are processed before managed rules and can provide more granular control over how the WAF responds to specific requests.

    If you continue to face issues, it might be helpful to reach out to Azure support again with detailed information about your configuration and the steps you've taken so far.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.