Updated March 10, 2023
Introduction to Azure WAF
Azure WAF (Web Application Firewall) provided on Azure Application Gateway delivers integrated security of the web applications from shared exploits and susceptibilities. Since web applications are targeted progressively by spiteful attacks which exploit usually known vulnerabilities. Amid the most mutual, major attacks are cross-site scripting and SQL injection. From the OWASP (Open Web Application Security Project), WAF on Application Gateway is generally based on the CRS (Core Rule Set) 3.1, 3.0 or, 2.2.9. Therefore, a WAF policy is required to allow a Web Application Firewall on Application Gateway, including complete organized rules, exclusions, custom rules, and customizations like file upload limit.
Create Azure WAF
We can create Azure WAF using three various techniques:
- Azure Application Gateway: Helps to balance the load of Web traffic, which allows handling traffic to web apps.
- Azure Front Door: Centralized security, global, scalable entry-point which implements the Microsoft global edge network for designing quick, secure, and broadly scalable web applications.
- Azure CDN (Content Delivery Network): Provides a global CDN solution to offer high-bandwidth content and can be hosted either in Azure or any different location.
Example Commands of Azure WAF
For configuring Azure WAF, the below commands can be applied but only to application gateways having an SKU kind of WAF:
- az network application-gateway waf-config list-rule-sets: Provides info on existing WAF rules sets, rule IDs, and rule groups.
- az network application-gateway waf-config set: For updating the firewall arrangement of a web application.
- az network application-gateway waf-config show: To receive the configuration of a firewall of a web application.
- azure-waf-policies-get: Helps to recover protection policies inside a resource cluster. E.g. !azure-waf-policies-get limit=1.
- azure-waf-policies-list-all-in-subscription: Regains entire WAF policies in a provided subscription. The command example can be: !azure-waf-policies-list-all-in-subscription limit=3.
- azure-waf-policy-update-or-create: It creates or updates a specific policy having a particular rule set name inside a resource cluster.
- Azure-waf-policy-delete: Removes an existing policy.
- Azure-waf-auth-start: Begins the authorization process and follows the instructions in the command outcomes.
- Azure-waf-auth-complete: Helps to achieve the authorization process.
- Azure-waf-auth-reset: To repeat the authorization process.
- Azure-waf-auth-test: Checks connectivity.
Benefits of Azure WAF
Given below are the basic benefits which WAF on the Application Gateway offers are mentioned as follows:
- Without alteration to back-end code, secure the web applications from web susceptibilities and attacks.
- Safeguard various web applications at an identical time. An illustration of Application Gateway is able to host up to 40 websites that are secured by a web application firewall.
- Design custom WAF strategies for various sites behind the matching WAF.
- Secure your web applications from malicious bots, including the IP Reputation rule set.
- Observe attacks against any web applications by means of a real-time WAF log. The log is included with the Azure Monitor for tracing WAF alerts and monitor tendencies simply.
- The Application Gateway WAF is integrated with having Azure Security Center that delivers a significant opinion of the security state of entire Azure assets.
- To suit the application necessities and remove false positives, customize WAF rules and rule groups.
- Relate a WAF Policy for every site behind the WAF to agree for site-specific arrangement.
- Design custom rules to suit the requirements of the application.
Some of the features of Azure WAF are as follows:
- Protection against cross-site scripting.
- Defense against SQL injection.
- Protection against HTTP protocol violations.
- Defense against crawlers and scanners.
- Protection against HTTP protocol differences like absent host user-agent and agree on headers.
- Protection against a few mutual web attacks like command injection, HTTP response splitting, remote file inclusion, and HTTP request smuggling.
- Detection of shared application misconfigurations such as IIS and Apache.
- Configuration request size limits, including lower and upper bounds.
- Design custom rules that suit the particular necessities of the applications.
- Exclusion lists allow you to ignore definite request elements from WAF estimation. A mutual instance can be Active Directory injected tokens which are implemented for verification or password fields.
- Geo-filter traffic to permit or block assured regions/countries from the attainment of access to the applications.
- Secure your applications having the bot mitigation rule set from bots.
- Insert XML and JSON in the request body.
Rules of Azure WAF
For enabling a WAF on Application Gateway, the user should design a WAF policy for protection that consists of two kinds of security rules, such as the entire managed rules and custom rules and exclusions with other customizations like file upload. This WAF policy linked to a web application can be at a per-URI level, global level, and per-site level.
In case if both are available, then the custom rules will only be handled before handling the rules in a managed rule set. We can define a rule as a composition of a match condition, a priority, and an action. The types of action supported are LOG, BLOCK, and ALLOW. Here, priority states a distinct integer that outlines the order of rules to be processed. A smaller integer value denotes higher priority, and those rules are calculated first before the rules having a higher integer value. After matching, the action is performed, whereas the lower priority rules will not be managed further.
- Core rule sets: Application Gateway provisions three rule sets named: CRS 2.2.9, CRS 3.0, and CRS 3.1. These rules secure the web applications from spiteful action.
- Custom rule: Application Gateway even supports custom rules using which one can develop own rules that are calculated for every request, which permits by means of WAF. Here, these rules possess a greater priority than the rest of the rules in the organized rule sets. An action is occupied to permit or block if an agreed set of conditions is encountered. The GeoMatch operator is currently accessible for custom rules.
Azure WAF Modes
The WAF on Application Gateway can be set up to execute in the succeeding two modes:
- Detection mode: In the Diagnostics section, the operator goes on logging diagnostics for Application Gateway. Monitors and logs wholly threat alerts. WAF log is nominated with turned on mode should be made confirmed. While executing in Detection mode, WAF will not block the incoming requests.
- Prevention mode: It blocks intrusions and also attacks which the rules detect. The connection will be terminated when the attacker gets an exception of “403 unauthorized access”. Such an attack is recorded in the WAF logs in the Prevention mode.
- Annotation: You must execute a newly installed Azure WAF in a production environment for a short period of time in Detection mode. This offers the opening to acquire firewall logs and modify any exceptions or custom rules preceding to transition to the Prevention mode, which aids to decrease the happening of unpredicted blocked traffic.
Azure WAF is a cloud-native service that safeguards web apps from shared web-hacking methods like SQL Injection and security exposure like cross-site scripting. You can just install this Azure service in minutes to receive the entire reflectiveness into the environment and block the mischievous attack before it arrives on our servers.
This is a guide to Azure WAF. Here we discuss the introduction, create azure WAF, example commands, benefits, features, rules, and modes. You may also have a look at the following articles to learn more –