Add an header value criteria in WAF Exclusion Rules

Sometimes is useful to exclude WAF processing for some headers value (e.g. based on Content-Type value) to avoid false positives. Today the exclusions rule filter doesn't include headers or headers value. This is now achiavable using routes, but it is an actual WAF exclusion rule so that's where it should be.

  • Paolo Di Liberto
  • Feb 22 2023
  • Will not implement
  • Attach files
  • Admin
    7 Apr, 2023 03:19pm

    If you want to disable WAF entirely based on header match, "Trusted Client Rules" feature can be used. Its avaiable under HTTP Load balancer --> Common Security Controls section

  • Paolo Di Liberto commented
    7 Apr, 2023 08:57am

    Thanks Sudhir. My idea was something different. E.g if you want to skip WAF processing for a specific content type for a binary file uploads. It is not about disabling specific signature or violation. But, as said, today you can do that with routes or service policies. thank you

  • Admin
    6 Apr, 2023 04:23pm

    there is a section called context

  • Paolo Di Liberto commented
    6 Apr, 2023 03:54pm

    I don't see any headers in waf exclusion rule. you can exclude by domain, path, methods..but not headers name/value (at least, in my tenant).

    I wouldn't make header/value fields pre-populated by request logs.

  • Admin
    6 Apr, 2023 02:33pm

    WAF exclusion rules provide the ability to exclude by context ( cookies, headers , query params , req body etc )

  • Alexis DA COSTA commented
    2 Mar, 2023 02:25pm

    Undesired impact: Because an exclusion rule is pre-populated based on request log, I don't want to force SecOps to remove all http headers one by one if they don't expect to match a specific header

    workaround 2: It's also achievable using a Service Policy.