Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Summary
By default, Azure Application Gateway Web Application Firewall (WAF) uses anomaly scoring if you enable the OWASP Core Rule Set (CRS). If you use anomaly scoring, the WAF doesn't block requests immediately when a single rule matches, even if you configure the WAF policy in Prevention mode.
This article explains anomaly scoring behavior, and clarifies scenarios in which rule ID 949110 blocks traffic.
For general WAF troubleshooting guidance, see Troubleshoot WAF for Azure Application Gateway.
Prerequisites
- An Azure Application Gateway that has WAF enabled
- OWASP CRS configured
- WAF diagnostic logs that are enabled and sent to Log Analytics
How anomaly scoring works
Each OWASP rule ID has an associated severity that contributes to an overall anomaly score.
When the cumulative anomaly score reaches 5 or greater, one of the following actions occurs:
- Prevention mode: The request is blocked
- Detection mode: The request is logged but not blocked
For example:
- A single Critical rule ID match increases the anomaly score to 5. This score is sufficient to block the request in Prevention mode.
- A Warning rule ID match increases the anomaly score by 3. This score isn't enough on its own to block the request.
If a rule that contributes to anomaly scoring is triggered, the rule is identified in the logs as Action = Matched.
If the total anomaly score reaches the blocking threshold, an another rule is triggered and marked as Action = Blocked or Detected, depending on the WAF mode.
Mandatory rule triggered (rule ID: 949110)
When you review WAF logs, you might see that traffic appears as blocked by mandatory rule ID 949110. You can't disable a mandatory rule.
Rule ID 949110 doesn't represent a specific attack signature. Instead, it enforces the final block when the cumulative anomaly score reaches the configured threshold.
This behavior often causes users to try to disable rule ID 949110 as a workaround. However, because rule ID 949110 is a mandatory evaluation rule, it doesn't appear as a configurable rule in the WAF policy.
Identify the rule that caused the block
To determine which rules contributed to the issue that triggered rule ID 949110, follow these steps:
- Filter the WAF logs by hostname and Action = Blocked.
- From the blocked entry, note the transaction ID value.
- Remove the Blocked filter, and search for logs that contain the same transaction ID value.
- Identify the rule IDs that are listed in the Matched action.
These matched rules are the rules that contributed to the anomaly score that caused the block.
Resolution
After you identify the contributing rules, take one of the following actions:
- Disable the specific rule (if supported).
- Create a custom WAF rule.
- Configure a WAF exclusion to allow expected traffic.
Don't try to disable rule ID 949110 directly because it's a mandatory enforcement rule and it can't be modified.