Skip to content

Application Gateway rules are enabled#

Security · Application Gateway · Rule · 2020_06 · Important

Application Gateway Web Application Firewall (WAF) should have all rules enabled.


Application Gateway instances with WAF allow OWASP detection/ prevention rules to be toggled on or off. All OWASP rules are turned on by default.

When OWASP rules are turned off, the protection they provide is disabled.


Consider enabling all OWASP rules within Application Gateway instances.

Before disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.


Configure with Azure template#

To deploy Application Gateways that pass this rule:

  • Set the properties.webApplicationFirewallConfiguration.disabledRuleGroups.ruleGroupName property to $ruleName.

For example:

Azure Template snippet
    "type": "Microsoft.Network/applicationGateways",
    "apiVersion": "2020-11-01",
    "name": "appGw-001",
    "location": "[resourceGroup().location]",
    "properties": {
        "sku": {
            "name": "WAF_v2",
            "tier": "WAF_v2"
        "webApplicationFirewallConfiguration": {
            "enabled": true,
            "firewallMode": "Prevention",
            "ruleSetType": "OWASP",
            "ruleSetVersion": "3.2",
            "disabledRuleGroups": [
                "ruleGroupName": "exampleRule",
                "rules": []
            "requestBodyCheck": true,
            "maxRequestBodySizeInKb": 128,
            "fileUploadLimitInMb": 100

Configure with Bicep#

To deploy Application Gateways that pass this rule:

  • Set the properties.webApplicationFirewallConfiguration.enabled property to true.

For example:

Azure Bicep snippet
resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {
  name: 'appGw-001'
  location: location
  properties: {
    sku: {
      name: 'WAF_v2'
      tier: 'WAF_v2'
    webApplicationFirewallConfiguration: {
      enabled: true
      firewallMode: 'Prevention'
      ruleSetType: 'OWASP'
      ruleSetVersion: '3.2'
      disabledRuleGroups: [
          ruleGroupName: 'exampleRule',
          rules: []