WAF policy custom rule, for each condition, the limitation of match values

Hi @Elisa,

Thank you for reaching out on Microsoft Q&A forum.

As you stated the the limitation for match values in each condition of a WAF (Web Application Firewall) custom rule is 10 according to Microsoft documentation.

Even though you may be able to update and supply more than 10 values by using Azure PowerShell (AzPowershell), only the first 10 match values per condition are supported and will actually take effect. Any additional match values beyond the documented limit may not be honored by the WAF engine, potentially resulting in unpredictable operation or ignored values.

Refer: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits

You can use the below Azure CLI command to list match conditions and see what match values are currently considered in a WAF policy custom rule.

1.To list the match conditions associated with a custom rule in an Application Gateway WAF policy, the command is:

az network application-gateway waf-policy custom-rule match-condition list --resource-group <ResourceGroupName> --policy-name <WafPolicyName> --name <CustomRuleName>

2.For Azure Front Door WAF policies, this related command lists match conditions of a custom rule:

az network front-door waf-policy rule match-condition list --resource-group <ResourceGroupName> --policy-name <WafPolicyName> --name <CustomRuleName>

Refer:https://learn.microsoft.com/en-us/cli/azure/network/front-door/waf-policy/rule/match-condition?view=azure-cli-latest#az-network-front-door-waf-policy-rule-match-condition-list

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.