shanhix1 · Oct 24, 2018
diff --git a/‎articles/application-gateway/application-gateway-waf-configuration.md
Lines changed: 6 additions & 1 deletion b/‎articles/application-gateway/application-gateway-waf-configuration.md
Lines changed: 6 additions & 1 deletion
diff --git a/‎articles/application-gateway/media/application-gateway-waf-configuration/waf-exclusion.png
110 KB b/‎articles/application-gateway/media/application-gateway-waf-configuration/waf-exclusion.png
110 KB
diff --git a/‎articles/application-gateway/media/application-gateway-waf-configuration/waf-requestsizelimit.png
109 KB b/‎articles/application-gateway/media/application-gateway-waf-configuration/waf-requestsizelimit.png
109 KB
@@ -5,7 +5,7 @@ services: application-gateway
 author: vhorne
 ms.service: application-gateway
 ms.workload: infrastructure-services
-ms.date: 10/11/2018
+ms.date: 10/25/2018
 ms.author: victorh
 
 ---
@@ -18,6 +18,9 @@ The Azure Application Gateway web application firewall (WAF) provides protection
 > Configuration of WAF request size limits and exclusion lists is currently in public preview. This preview is provided without a service level agreement and isn't recommended for production workloads. Certain features may not be supported or may have constrained capabilities. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for details.
 
 ## WAF request size limits
+
+![Request size limits](media/application-gateway-waf-configuration/waf-requestsizelimit.png)
+
 Web Application Firewall allows users to configure request size limits within lower and upper bounds. The following two size limits configurations are available:
 
 - The maximum request body size field is specified in KBs and controls overall request size limit excluding any file uploads. This field can range from 1-KB minimum to 128-KB maximum value. The default value for request body size is 128 KB.
@@ -27,6 +30,8 @@ WAF also offers a configurable knob to turn the request body inspection on or of
 
 ## WAF exclusion lists
 
+![waf-exclusion.png](media/application-gateway-waf-configuration/waf-exclusion.png)
+
 WAF exclusion lists allow users to omit certain request attributes from a WAF evaluation. A common example is Active Directory inserted tokens that are used for authentication or password fields. Such attributes are prone to contain special characters that may trigger a false positive from the WAF rules. Once an attribute is added to the WAF exclusion list, it isn't taken into consideration by any configured and active WAF rule. Exclusion lists are global in scope.
 You can add request headers, request body, request cookies, or request query string arguments to WAF exclusion lists. If the body has form data or XML/JSON (key value pairs) then request attribute exclusion type can be used.