Skip to content

Application Gateway WAF is enabled#

Security · Application Gateway · Rule · 2022_09 · Critical

Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.

Description#

Security features of Application Gateways deployed with WAF may be toggled on or off.

When WAF is disabled network traffic is still processed by the Application Gateway however detection and/ or prevention of malicious attacks does not occur.

To protect backend resources from potentially malicious network traffic, WAF must be enabled.

Recommendation#

Consider enabling WAF for Application Gateway instances connected to un-trusted or low-trust networks such as the Internet.

Examples#

Configure with Azure template#

To deploy Application Gateways that pass this rule:

  • Set the properties.policySettings.state property to Enabled.

For example:

Azure Template snippet
{
  "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
  "apiVersion": "2022-01-01",
  "name": "agwwaf",
  "location": "[parameters('location')]",
  "properties": {
    "managedRules": {
      "managedRuleSets": [
        {
          "ruleSetType": "OWASP",
          "ruleSetVersion": "3.2"
        },
        {
          "ruleSetType": "Microsoft_BotManagerRuleSet",
          "ruleSetVersion": "0.1"
        }
      ]
    },
    "policySettings": {
      "state": "Enabled",
      "mode": "Prevention"
    }
  }
}

Configure with Bicep#

To deploy Application Gateways that pass this rule:

  • Set the properties.policySettings.state property to Enabled.

For example:

Azure Bicep snippet
resource waf 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2022-01-01' = {
  name: 'agwwaf'
  location: location
  properties: {
    managedRules: {
      managedRuleSets: [
        {
          ruleSetType: 'OWASP'
          ruleSetVersion: '3.2'
        }
        {
          ruleSetType: 'Microsoft_BotManagerRuleSet'
          ruleSetVersion: '0.1'
        }
      ]
    }
    policySettings: {
      state: 'Enabled'
      mode: 'Prevention'
    }
  }
}

Configure with Azure CLI#

Azure CLI snippet
az network application-gateway waf-config set --enabled true -n '<name>' -g '<resource_group>'

Configure with Azure PowerShell#

Azure PowerShell snippet
$AppGw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'
Set-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention'

Comments