You can bypass certain requests from going through WAF.

The following are a few ways to bypass WAF:

Through Content Length

WAF can be bypassed if the content length is greater than the defined value.

Custom Rule Syntax:

SecRule 'Variable:"value"' "phase:1,id:4000100,nolog,pass,ctl:ruleEngine=off"

Example:

In this example, if the value of the content-length header is greater than 1048576, the request skips WAF.

SecRule REQUEST_HEADERS:Content-Length "@gt 1048576" "phase:1,id:4000100,nolog,pass,ctl:ruleEngine=off"

Through Chunked Transfer Encoding

WAF can be bypassed based on the transfer encoding type.

Custom Rule Syntax:

SecRule 'Variable "@match criteria"'""

Partial buffering for chunked-encoded payload is supported. The remaining payload is streamed while maintaining the original chunk boundaries sent from the client.

Example:

In this example, if the form of encoding used to transfer is chunked, the request skips WAF.

SecRule REQUEST_HEADERS:Transfer-Encoding "@contains chunked" "phase:1,id:4000101,nolog,pass,ctl:ruleEngine=off"

Based on Specific Patterns of the Requested Path

WAF can be bypassed according to certain patterns of the requested path.

Custom Rule Syntax:

SecRule 'Variable:"value"'"id:4000102,phase:1,t:none,pass,ctl:ruleEngine=off"

Example:

In this example, any request that begins with the string /IDMProv/login.do will bypass WAF.

SecRule REQUEST_URI “@beginsWith /IDMProv/login.do” “id:4000102,phase:1,t:none,pass,ctl:ruleEngine=off”