What is the best practice to add exclusion in WAF

Question

What is the best practice to add exclusion in WAF

Johnson 5

Hi Team,

We are currently working on tuning the Azure WAF rules based on Microsoft’s documentation. While we have followed the recommended guidelines, we would like to confirm whether our current configuration approach is aligned with best practices.

The challenge we're facing is that our website contains numerous tabs and buttons that pass back different arguments, many of which include special characters. As a result, legitimate traffic is being blocked by the WAF. Most of the blocked by rule group REQUEST-942-APPLICATION-ATTACK-SQLI

We've reviewed the WAF logs and attempted to create exclusions for specific arguments we’ve confirmed to be benign. However, due to the wide variety of parameters, particularly from our use of ASP.NET and Telerik components, we're concerned that managing exclusions on a case-by-case basis may not be scalable or secure.

Would you be able to advise if there’s a more effective or recommended strategy for handling this type of situation? We want to ensure we’re maintaining the right balance between security and functionality.

Thank you,

Johnson

Example:

details_data_s: {; found within [ARGS:RadStyleSheetManager1_TSSM:;|638857441156720693:101f5099:da9873f3:ac6d9490;Telerik.Web.UI, Version=2024.3.805.462, Culture=neutral, PublicKeyToken=;Telerik.Web.UI.Skins, Version=2024.3.805.462, Culture=neutral, PublicKeyToken=],;; found within [ARGS:RadScriptManager1_TSM:;;System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=;Telerik.Web.UI:en-US:169c7ca7-1df1-4370-a5b9-ee71a36cb3f0:16e4e7cd:f7645509:22a6274a;||:50cbed49;Telerik.Web.UI, Version=2024.3.805.462, Culture=neutral, PublicKeyToken=]}

details_data_s: {,"value": found within [ARGS:SignInBtn_ClientState:{"text":"Sign In","value":"","checked":false,"target":"","navigateUrl":"","commandName":"","commandArgument":"","autoPostBack":true,"selectedToggleStateIndex":0,"validationGroup":null,"readOnly":false,"primary":false,"enabled":true}],,"emptyMessage": found within [ARGS:UserNameTbx_ClientState:{"enabled":true,"emptyMessage":"","validationText":"xxxxxx","valueAsString":"xxxxxx","lastSetTextBoxValue":"xxxxxx"}],[ARGS:PasswordTbx_ClientState:{"enabled":true,"emptyMessage":"","validationText":"xxxxxx","valueAsString":"xxxxxx","lastSetTextBoxValue":"xxxxxx"}]}

G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-08T19:19:21.17+00:00

Hi Johnson

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.
Johnson 5 Reputation points

2025-07-09T01:58:59.8433333+00:00

Hi Vidya,

We are currently running in detection mode, as enabling blocking would impact some website functionality. I followed the instructions to exclude specific argument names, such as RadStyleSheetManager1_TSSM, but we are still seeing many other dynamic argument names with values containing special characters.

Given the large number and variability of these arguments, I wanted to ask, do we really need to manually exclude each one individually? That would be quite time consuming.

Is there a more scalable approach you’d recommend for handling this?

Thank you.
Johnson 5 Reputation points

2025-07-09T01:59:58.49+00:00

Hi Vidya,

We are currently running in detection mode, as enabling blocking would impact some website functionality. I followed the instructions to exclude specific argument names, such as RadStyleSheetManager1_TSSM, but we are still seeing many other dynamic argument names with values containing special characters.

Given the large number and variability of these arguments, I wanted to ask, do we really need to manually exclude each one individually? That would be quite time consuming.

Is there a more scalable approach you’d recommend for handling this?

Thank you.
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-09T21:35:15.24+00:00
Hi Johnson

Thank you for your response,

Yes! manually excluding each parameter individually is not scalable. Fortunately, there are more efficient approaches you can take.

Wildcard-Like Matching: Most WAF platforms support wildcard-style matching through operators such as:

StartsWith

EndsWith

Contains

Regex (if supported)

For example:

To exclude all parameters starting with Rad, use: StartsWith: Rad

To exclude ASP.NET hidden fields like __VIEWSTATE, use: StartsWith: __

This allows you to exclude entire categories of parameters without listing them individually.

For information please fere this document https://learn.microsoft.com/en-us/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists

Sharing some of the Microsoft best practices on WAF tune: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/best-practices

Do let me know if you have further questions, we will be happy to help:)
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-11T20:58:34.91+00:00

Hi Johnson

I am following up on this thread and wanted to check if you had a chance to review the information we posted in the comments.

Please let us know if you have any questions or concerns. We are happy to assist you.
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-14T17:25:08.6433333+00:00

Hello Johnson

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.

1 answer

Your answer

G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-08T19:19:21.17+00:00

Hi Johnson

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.
Johnson 5 Reputation points

2025-07-09T01:58:59.8433333+00:00

Hi Vidya,

We are currently running in detection mode, as enabling blocking would impact some website functionality. I followed the instructions to exclude specific argument names, such as RadStyleSheetManager1_TSSM, but we are still seeing many other dynamic argument names with values containing special characters.

Given the large number and variability of these arguments, I wanted to ask, do we really need to manually exclude each one individually? That would be quite time consuming.

Is there a more scalable approach you’d recommend for handling this?

Thank you.
Johnson 5 Reputation points

2025-07-09T01:59:58.49+00:00

Hi Vidya,

We are currently running in detection mode, as enabling blocking would impact some website functionality. I followed the instructions to exclude specific argument names, such as RadStyleSheetManager1_TSSM, but we are still seeing many other dynamic argument names with values containing special characters.

Given the large number and variability of these arguments, I wanted to ask, do we really need to manually exclude each one individually? That would be quite time consuming.

Is there a more scalable approach you’d recommend for handling this?

Thank you.
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-09T21:35:15.24+00:00

Hi Johnson

Thank you for your response,

Yes! manually excluding each parameter individually is not scalable. Fortunately, there are more efficient approaches you can take.

Wildcard-Like Matching: Most WAF platforms support wildcard-style matching through operators such as:

StartsWith

EndsWith

Contains

Regex (if supported)

For example:

To exclude all parameters starting with Rad, use: StartsWith: Rad

To exclude ASP.NET hidden fields like __VIEWSTATE, use: StartsWith: __

This allows you to exclude entire categories of parameters without listing them individually.

For information please fere this document https://learn.microsoft.com/en-us/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists

Sharing some of the Microsoft best practices on WAF tune: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/best-practices

Do let me know if you have further questions, we will be happy to help:)
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-11T20:58:34.91+00:00

Hi Johnson

I am following up on this thread and wanted to check if you had a chance to review the information we posted in the comments.

Please let us know if you have any questions or concerns. We are happy to assist you.
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-14T17:25:08.6433333+00:00

Hello Johnson

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.

Answer 1

Hello Johnson

To address Azure WAF blocking legitimate traffic from Telerik/ASP.NET components due to special characters triggering REQUEST-942-APPLICATION-ATTACK-SQLI rules, follow these best practices based on Microsoft’s recommendations:

1.Run WAF in Detection Mode

Set WAF to Detection mode to log requests without blocking. Use Azure Monitor or Log Analytics to identify false positives such as:

RadStyleSheetManager1_TSSM
SignInBtn_ClientState
UserNameTbx_ClientState

Reference: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/create-waf-policy-ag#configure-waf-rules-optional

2.Create Targeted Exclusions: Exclude specific parameters like RadStyleSheetManager1_TSSM, RadScriptManager1_TSM, and *ClientState from REQUEST-942-APPLICATION-ATTACK-SQLI rules.

Exclude specific benign parameters from inspection to prevent false positives.

exclusion = New-AzApplicationGatewayFirewallPolicyExclusion `
    -MatchVariable "RequestArgNames" `
    -SelectorMatchOperator "Equals" `
    -Selector "RadStyleSheetManager1_TSSM"
$wafPolicy = Get-AzApplicationGatewayFirewallPolicy -Name "<policy-name>" -ResourceGroupName "<rg-name>"
$wafPolicy.ManagedRules[0].Exclusions.Add($exclusion)
$wafPolicy | Set-AzApplicationGatewayFirewallPolicy

Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal

3.Create custom rules to allow requests with common patterns like Rad* or *ClientState. Refer: Custom WAF rule

4.Define exclusions and custom rules in PowerShell or Terraform and store in version control to handle ruleset upgrades.

5.Test changes in a staging environment. Monitor logs in Log Analytics post-deployment to catch new false positives.

Consider Disabling SQL Rules (If Safe): If your app doesn’t use a SQL database, disable REQUEST-942-APPLICATION-ATTACK-SQLI after testing.

Recommendation: Start with Detection mode, add exclusions for Rad* and *ClientState, and use custom rules for broader patterns. Test thoroughly before switching to Prevention mode.

Additionally, we have provided information on WAF.

Yes! manually excluding each parameter individually is not scalable. Fortunately, there are more efficient approaches you can take.

Wildcard-Like Matching: Most WAF platforms support wildcard-style matching through operators such as:

StartsWith

EndsWith

Contains

Regex (if supported)

For example:

To exclude all parameters starting with Rad, use: StartsWith: Rad
To exclude ASP.NET hidden fields like __VIEWSTATE, use: StartsWith: __

This allows you to exclude entire categories of parameters without listing them individually.

For information please fere this document https://learn.microsoft.com/en-us/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists

Sharing some of the Microsoft best practices on WAF tune: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/best-practices

Do let me know if you have further questions, we will be happy to help:)

I hope this helps! If these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.

If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

User's image

Share via

What is the best practice to add exclusion in WAF

1 answer

Your answer