Application Gateway rules are enabled#

Security · Application Gateway · Rule · 2020_06 · Important

Application Gateway Web Application Firewall (WAF) should have all rules enabled.

Description#

Application Gateway instances with WAF allow OWASP detection/ prevention rules to be toggled on or off. All OWASP rules are turned on by default.

When OWASP rules are turned off, the protection they provide is disabled.

Recommendation#

Consider enabling all OWASP rules within Application Gateway instances.

Before disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.

Examples#

Configure with Azure template#

To deploy Application Gateways that pass this rule:

Set the properties.webApplicationFirewallConfiguration.disabledRuleGroups.ruleGroupName property to $ruleName.

For example:

Azure Template snippet

{
    "type": "Microsoft.Network/applicationGateways",
    "apiVersion": "2020-11-01",
    "name": "appGw-001",
    "location": "[resourceGroup().location]",
    "properties": {
        "sku": {
            "name": "WAF_v2",
            "tier": "WAF_v2"
        },
        "webApplicationFirewallConfiguration": {
            "enabled": true,
            "firewallMode": "Prevention",
            "ruleSetType": "OWASP",
            "ruleSetVersion": "3.2",
            "disabledRuleGroups": [
              {
                "ruleGroupName": "exampleRule",
                "rules": []
              }
            ],
            "requestBodyCheck": true,
            "maxRequestBodySizeInKb": 128,
            "fileUploadLimitInMb": 100
        }
    }
}

Configure with Bicep#