I've seen legitimate ecommerce transactions blocked because WAF rejected the customer's address containing the word "Union" (which is also an SQL keyword.)
I know of at least one Azure Application Gateway (which is a WAF) where the company-wide policy is to enable all the Rules, even the ones Microsoft says not to enable.
This results in fun debugging sessions for issues, where random requests are blocked, also often redirects from Azure AD logins where it apparently triggers on the JWT token.
This results in fun debugging sessions for issues, where random requests are blocked, also often redirects from Azure AD logins where it apparently triggers on the JWT token.