Exclude/exempt specific IP from WAF managed rules

Question

Exclude/exempt specific IP from WAF managed rules

WinTechie 286

Hi,

I have an application hosted on Azure WAFV2, I need to define an exclusion using client IP address.
Basically any request coming from that IP should not be examined against OWASP 3.2 managed rules. I tried defining exclusions but IP specific option isn't available.

Could anyone assist!

eenchev 0 Reputation points

2025-06-03T13:45:51.3233333+00:00

Hi,

Custom rules are great if you want to bypass an IP address or IP suffix entirely from all waf checks using the allow action.

Is there a possibility to make exclusions only for certain rule ids/groups. For example if we have some scripts being detected as malicious since they do not comply fully with protocol validation rules. Can I disable rule for traffic coming from particular IP range or make an exclusion?
KapilAnanth-MSFT 49,646 Reputation points Microsoft Employee Moderator

2025-06-05T08:54:00.5133333+00:00
Hi eenchev,

Greetings,

1.You can consider disabling the rules.

See : Disable rule groups and rules

or 2.You can create exclusions based on request attributes

See : Identify request attributes to exclude

In either case, you will not be able to use the Client IP as a filter. If your requirement is to whitelist/block a particular IP or IP Range, then you should consider Custom Rules only.

Cheers,

Kapil

1 answer

Your answer

eenchev 0 Reputation points

2025-06-03T13:45:51.3233333+00:00

Hi,

Custom rules are great if you want to bypass an IP address or IP suffix entirely from all waf checks using the allow action.

Is there a possibility to make exclusions only for certain rule ids/groups. For example if we have some scripts being detected as malicious since they do not comply fully with protocol validation rules. Can I disable rule for traffic coming from particular IP range or make an exclusion?
KapilAnanth-MSFT 49,646 Reputation points Microsoft Employee Moderator

2025-06-05T08:54:00.5133333+00:00

Hi eenchev,

Greetings,

1.You can consider disabling the rules.

See : Disable rule groups and rules

or 2.You can create exclusions based on request attributes

See : Identify request attributes to exclude

In either case, you will not be able to use the Client IP as a filter. If your requirement is to whitelist/block a particular IP or IP Range, then you should consider Custom Rules only.

Cheers,

Kapil

Answer 1

KapilAnanth-MSFT 49,646 Microsoft Employee Moderator

Hi @WinTechie ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are trying to configure your WAF to not examine managed rules for a custom IP.

You can leverage Custom Rules to achieve this.
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview

Please let me know if this helps.

Cheers,
Kapil.

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

WinTechie 286 Reputation points

2022-08-19T13:14:26.11+00:00

Hi,

I am little doubtful if given solution will actually exempt all managed rulesets, as far as I know, suggested option is JUST to either deny OR allow access to configured IPs for hosted apps/urls.

My concern was about excluding traffic inspection by OWASP3.2 rules for request/traffic coming from a particular client IP.

I tried looking at exclusions but it only provides exclusions for following:
request header name/value/key, request cookie name/value/key etc.
KapilAnanth-MSFT 49,646 Reputation points Microsoft Employee Moderator

2022-08-19T14:06:04.45+00:00

Hi @WinTechie ,

Custom Rules have a high priority than managed rulesets.
This means, that once a rule is matched(from CustomRules), no more rule processing will happen (rules from managed ruleset won't be processed)

So, if we configure "Allow" for a RemoteAddr, then traffic will be sent to the backend.

You can try configuring this in a Lab/Test/Dev Environment, should you face any challenges, I can address them.

Cheers,
Kapil.

----------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
WinTechie 286 Reputation points

2022-08-22T10:30:41.85+00:00

Hi,

This seems logical! Let me try to validate it through some ways.
Thanks!
eenchev 0 Reputation points

2025-06-03T14:35:26.8766667+00:00

Hi,

Custom rules are great if you want to bypass an IP address or IP suffix entirely from all waf checks using the allow action.

Is there a possibility to make exclusions only for certain rule ids/groups. For example if we have some scripts being detected as malicious since they do not comply fully with protocol validation rules. Can I disable rule for traffic coming from particular IP range or make an exclusion?

Share via

Exclude/exempt specific IP from WAF managed rules

1 answer

Your answer