I'm considering adding some custom rules to my Application Gateway WAF policy to exclude certain URIs from specific OWASP SQL injection checks. We're facing a lot of false positives and want to reduce these by adjusting the rules. My main concern is that implementing custom rules might require checking every request against them, which could become computationally expensive. I haven't found much information about this in the documentation, so I'm curious if anyone has had experience with this and whether it poses significant performance issues. Thanks for any insights!
4 Answers
It's generally an all-or-nothing situation with custom rules; if a custom rule applies, it excludes the request from any managed rules. However, as far as costs go, I believe requests are counted as a single charge no matter how many rules they go through. Just keep in mind that the pricing calculator usually just considers the total number of requests you make.
Check out the Azure pricing calculator for detailed estimates on costs: https://azure.microsoft.com/en-in/pricing/calculator/
I'm a bit confused about what you mean by computationally expensive. To my knowledge, implementing custom rules doesn't noticeably increase the costs, and any impact on performance is usually minor. We’ve set up a bunch of custom exceptions and tailored them to specific traffic elements. For instance, if JSON data is present, we ignore SQL rules. This method takes more effort to sift through logs, but we haven't encountered any significant performance issues.
Creating custom rules will actually bypass any managed rules you have in place. If you're facing a lot of false positives, it might be better to create exclusions for the managed rules instead. This approach uses expressions based on request arguments or cookies, which could save you from unnecessary work.
I started experimenting with managed rule exclusions and found that I could effectively reduce false flags by excluding certain argument names. It worked out great, thanks!