Azure WAF (Web Application Firewall) on Azure Application Gateway provides integrated protection of web applications against common attacks and vulnerabilities. Since web applications are increasingly being targeted by malicious attempts that exploit commonly known vulnerabilities. Cross-site scripting and SQL injection are two of the most common and serious threats. WAF on Application Gateway is often based on the CRS (Core Rule Set) 3.1, 3.0, or 2.2.9, according to the OWASP (Open Web Application Security Project). As a result, a WAF policy, containing comprehensive ordered rules, exclusions, custom rules, and customizations such as file upload limit, is necessary to enable a Web Application Firewall on Application Gateway.
Make an Azure WAF
We can create Azure WAF using three different methods:
- Azure Application Gateway: Assists in balancing the strain of Web traffic, allowing traffic to web apps to be handled.
- Azure Front Door: A centralized security, global, scalable entry-point that uses the Microsoft global edge network to build fast, secure, and extensively scalable online applications.
- Azure CDN (Material Delivery Network): Provides a global CDN solution for high-bandwidth content that can be hosted in Azure or elsewhere.
Azure WAF Command Examples
The following commands can be used to configure Azure WAF, but only on application gateways with an SKU type of WAF:
- az network application-gateway waf-config list-rule-sets: This command displays information about existing WAF rule sets, rule IDs, and rule groups.
- az network application-gateway waf-config set: To update a web application's firewall configuration.
- az network application-gateway waf-config show: To receive the configuration of a web application's firewall.
- azure-waf-policies-get: Assists in the recovery of protection policies within a resource cluster. E.g. ! limit=1. azure-waf-policies-list-all-in-subscription: Lists all WAF policies in the specified subscription. As an example, consider the command:! limit=3 for azure-waf-policies-list-all-in-subscription. azure-waf-policy-update-or-create: It creates or updates a specified policy with a specific rule set name within a resource cluster.
- Removes an existing policy with the Azure-waf-policy-delete command.
- Azure-waf-auth-start: Begin the authorization procedure by following the directions in the command results.
- Azure-waf-auth-complete: Assists in completing the authorization procedure.
- Azure-waf-auth-reset: This command is used to restart the authorization procedure.
Benefits of Azure WAF
Secure web applications from web vulnerabilities and assaults without modifying the back-end code.
At the same time, protect many web applications. An example of an Application Gateway can host up to 40 websites that are protected by a web application firewall.
Create custom WAF tactics for distinct sites in addition to the corresponding WAF.
Use the IP Reputation rule set to protect your web apps from harmful bots.
Using a real-time WAF log, you can monitor attacks on any online application. The log is integrated with Azure Monitor for easily tracing WAF alarms and monitoring tendencies.
The Application Gateway WAF is connected with Azure Security Center, which provides a comprehensive assessment of the security state of all Azure assets.
Customize WAF rules and rule groups to meet the needs of the application and eliminate false positives.
Create a WAF Policy for each site to agree on site-specific arrangements.
Create custom rules to meet the needs of the application.
Rules of Azure WAF
To enable a WAF on Application Gateway, the user must create a WAF policy for protection that includes two types of security rules: complete managed rules and custom rules and exclusions with other customizations such as file upload. This WAF policy related to a web application can be configured at the per-URI, global, and per-site levels.
If both are available, the custom rules will be handled first, followed by the rules in a managed rule set. A rule can be defined as a combination of a match condition, a priority, and an action. The following actions are supported: LOG, BLOCK, and ALLOW. Priority is a separate integer that specifies the order of rules to be processed in this case. A smaller integer number indicates higher priority, and those rules are calculated first, followed by those with a larger integer value. The action is done after matching, whereas the lower priority rules are not managed further.
- Core rule sets: CRS 2.2.9, CRS 3.0, and CRS 3.1 are the three rule sets provided by Application Gateway. These rules protect the web applications against malicious behavior.
- Custom rule: Application Gateway also supports custom rules, which let users to create their own rules that are calculated for each request, as permitted by WAF. These rules take precedence over the remainder of the rules in the arranged rule sets. If an agreed-upon set of requirements is met, an action is taken to authorize or block it. Custom rules can presently use the GeoMatch operator.