Share via

How to block blacklisted resources in WAF (Azure Front Door / Application Gateway)?

K Sec Greg 0 Reputation points
2025-12-15T08:08:56.6133333+00:00

Hi Team,

I have a legacy java application (exposed site: https://japfd.centoso.com ) on WebLogic / Tomcat.

We have identified two high-risky endpoints, unfortunately we cannot patch them in application side immediately:

  1. https://japfd.centoso.com/conf/users.xml
  2. https://japfd.centoso.com/debug/script

We want front door WAF to block the above resources and their equivalent requests.

How can I achieve on Azure Front Door WAF or Azure Application Gateway WAF?

Regards

Azure Web Application Firewall
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yuval Pery 0 Reputation points Microsoft Employee
    2025-12-29T09:24:16.2433333+00:00

    Hi @K Sec Greg ,

    Thank you for submitting your question on the Microsoft Q&A forum, and for taking the time to speak with me today.

    I understand that the custom rules you tried were insufficient for this specific scenario, and I’ve shared additional details that should help refine your WAF configuration. I hope we can continue the discussion until you’re fully confident in the protection in place.

    Please feel free to reach out anytime, either here or directly, if you or any other WAF customers have further questions or concerns. I’d be happy to help.

    Thanks, Yuval

  2. K Sec Greg 0 Reputation points
    2025-12-19T07:33:07.96+00:00

    Update on Dec 19, 2025: Microsoft Support Team, backend engineering team are working on this issue (an associated SR created in Nov, 2025, and escalated recently). Per meeting, current custom-rules are insufficient, that is, AZ Waf failed to block blacklisted resources.

  3. Venkatesan S 4,660 Reputation points Microsoft External Staff Moderator
    2025-12-15T08:53:37.5933333+00:00

    Hi K Sec Greg,

    Thanks for posting question in Microsoft Q&A forum,

    It sounds like you want to block specific endpoints in your Azure Front Door Web Application Firewall (WAF) due to security concerns. You can achieve this by creating custom rules in your WAF policy. Here's a step-by-step guide to help you set it up:

    1. Access Azure Portal: Navigate to the Azure portal and find your Azure Front Door service.
    2. Create or Modify WAF Policy:
    3. Custom Rules:
      • Go to the "Custom rules" section within your WAF policy.
      • Add a new custom rule and define the match conditions. For your case, select the option to match against the request URI.
      • Set the condition to block requests if the URI matches /conf/users.xml or /debug/script.
    4. Set the Action: Choose "Block" as the action for the rule you’re creating.
    5. Priority Setting: Assign a priority to your new rule. Remember, lower numbers have higher priority, so ensure it's set appropriately so that it gets triggered before any other rules that might conflict.
    6. Save and Deploy: After configuring your rules, save the WAF policy and deploy the changes.
    7. Testing: Test the endpoints to ensure that they are blocked as intended.

    This will ensure that any requests to those specific endpoints are blocked by your Azure Front Door WAF, providing you the immediate protection you need until you can apply application-level patches.

    References:

    If you have further questions or need more details about any specific step, feel free to ask!

    Please do not forget to 210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.