Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Request Body Inspection for the Associated WAF Policy

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ApplicationGateway-003

Ensure that Request Body Inspection is enabled for the Web Application Firewall (WAF) policy associated with your Azure Application Gateway in order to protect against web attacks such as SQL injection and cross-site scripting hidden within the HTTP request body.

Security

Enabling Request Body Inspection feature for the WAF policy associated with your Azure Application Gateway prevents attacks embedded within the HTTP request body (like SQL Injection or Cross-Site Scripting in POST data) that would bypass inspection of only headers, cookies, or URI. This type of inspection aids in achieving compliance with standards like PCI-DSS and HIPAA, which often require robust application-layer security against web vulnerabilities.

Audit

To determine if Request Body Inspection is enabled for the WAF policy configured for your Azure Application Gateway, perform the following operations:

Using Azure Portal

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

  3. Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

  4. From the Type equals all filter box, select Type for Filter, Equals for Operator, and Application gateway for Value, then choose Apply to list the Azure Application Gateways available in the selected subscription.

  5. Click on the name (link) of the Azure Application Gateway that you want to examine.

  6. In the resource navigation panel, under Settings, select Web application firewall to examine the WAF security policy configured for the selected Application Gateway.

  7. In the Associated web application firewall policy section, click on the name (link) of the WAF security policy associated with your Application Gateway to access the policy configuration.

  8. In the WAF policy navigation panel, under Settings, choose Policy settings, and check the Enforce request body inspection setting to determine the operational state of the Request Body Inspection feature. If the Enforce request body inspection setting checkbox is unchecked, Request Body Inspection is not enabled for the Web Application Firewall (WAF) policy associated with your Azure Application Gateway.

Using Azure CLI

  1. Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

    az account list
	--query '[*].id'

  2. The command output should return the requested subscription identifiers (IDs):

    [
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

  3. Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

    az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

  4. Run network application-gateway list command (Windows/macOS/Linux) with custom output filters to list the ID of each Azure Application Gateway available in the selected subscription:

    az network application-gateway list
	--query '[*].id'

  5. The command output should return the requested Application Gateway IDs:

    [
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/applicationGateways/cc-project5-application-gateway",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/applicationGateways/cc-prod-stack-application-gateway"
]

  6. Run network application-gateway show command (Windows/macOS/Linux) with the name of the Azure Application Gateway that you want to examine as the identifier parameter and custom output filters to describe the ID of the WAF security policy associated with the selected Application Gateway:

    az network application-gateway show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/applicationGateways/cc-project5-application-gateway"
	--query '{firewallPolicy:firewallPolicy.id}'

  7. The command output should return the requested WAF policy ID. If the network application-gateway show command output returns null for "firewallPolicy", there are no WAF policies associated with your resource, therefore, Azure Web Application Firewall is not enabled for the selected Application Gateway. If the ID of the WAF policy is returned, as shown in the example below, continue the Audit process with the next step:

    {
	"firewallPolicy": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/cc-app-gateway-waf-policy"
}

  8. Run network application-gateway waf-policy show command (Windows/macOS/Linux) to determine the operational state of the Request Body Inspection feature, within the associated WAF policy settings. For --name, use the WAF policy name included in the resource ID returned in the previous step (i.e., "/subscriptions/\<subscription-id\>/resourceGroups/\<resource-group\>/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/\<waf-policy-name\>"):

    az network application-gateway waf-policy show
	--name cc-app-gateway-waf-policy
	--resource-group cloud-shell-storage-westeurope
	--query "policySettings.requestBodyCheck"

  9. The command output should return the feature status (true for enabled, false for disabled):

    false

    If the network application-gateway waf-policy show command output returns false, as shown in the example above, Request Body Inspection is not enabled for the Web Application Firewall (WAF) policy associated with your Azure Application Gateway.

Remediation / Resolution

To enable Web Application Firewall (WAF) support for your Microsoft Azure Application Gateways, perform the following operations:

Using Azure Portal

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

  3. Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

  4. From the Type equals all filter box, select Type for Filter, Equals for Operator, and Application gateway for Value, then choose Apply to list the Azure Application Gateways available in the selected subscription.

  5. Click on the name (link) of the Azure Application Gateway that you want to configure.

  6. In the resource navigation panel, under Settings, select Web application firewall to access the WAF security policy configured for the selected Application Gateway.

  7. In the Associated web application firewall policy section, click on the name (link) of the WAF security policy associated with your Application Gateway.

  8. In the WAF policy navigation panel, under Settings, choose Policy settings to access the policy configuration settings.

  9. Check the Enforce request body inspection setting checkbox to enable the Request Body Inspection feature and provide a value for the Maximum request body inspection limit (KB). Maximum request body inspection limit controls how many bytes of an HTTP request body a Web Application Firewall (WAF) will inspect and apply its security rules to. The default value is 128 KB. Choose Save to apply the configuration changes.

Using Azure CLI

  1. Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

    az account list
	--query '[*].id'

  2. The command output should return the requested subscription identifiers (IDs):

    [
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

  3. Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

    az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

  4. Run network application-gateway waf-policy update command (Windows/macOS/Linux) to enable the Request Body Inspection feature for the Web Application Firewall (WAF) policy associated with the selected Azure Application Gateway. (Optional) Add the requestBodyInspectLimitInKB parameter value to the command request if you want to set the maximum request body inspection limit (in KB). If requestBodyInspectLimitInKB is not specified, the default value is 128 KB:

    az network application-gateway waf-policy update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/cc-app-gateway-waf-policy"
	--policy-settings "{requestBodyCheck:true,requestBodyInspectLimitInKB:128}"

  5. The command output should return the configuration information available for the associated WAF policy:

    {
	"customRules": [],
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/cc-app-gateway-waf-policy",
	"location": "westeurope",
	"managedRules": {
	"exclusions": [],
	"managedRuleSets": [
		{
			"ruleGroupOverrides": [],
			"ruleSetType": "OWASP",
			"ruleSetVersion": "3.2"
		}
	]
	},
	"name": "cc-app-gateway-waf-policy",
	"policySettings": {
		"fileUploadEnforcement": true,
		"fileUploadLimitInMb": 100,
		"maxRequestBodySizeInKb": 128,
		"mode": "Detection",
		"requestBodyCheck": true,
		"requestBodyEnforcement": true,
		"requestBodyInspectLimitInKB": 128,
		"state": "Enabled"
	},
	"provisioningState": "Updating",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"tags": {},
	"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies"
}

References

Publication date Nov 7, 2025

Related ApplicationGateway rules