Use Recommended Application Gateway WAF policy rule groups#
Security · Application Gateway · Rule · 2025_12 · Critical
Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic.
Description#
Application Gateway Web Application Firewall (WAF) policies require two managed rule sets to provide comprehensive security coverage for web applications:
- Microsoft Default Rule Set 2.1 or later.
- Microsoft Bot Manager Rule Set 1.0 or later.
The Microsoft Default Rule Set provides protection against the most common web application vulnerabilities and attacks. This rule set is based on industry-standard security patterns and includes:
- Protection against OWASP Top 10 vulnerabilities.
- SQL injection attack prevention.
- Cross-site scripting (XSS) protection.
- Local file inclusion (LFI) and remote file inclusion (RFI) protection.
- Protocol violation detection.
The Bot Manager Rule Set provides automated protection against malicious bot traffic and includes:
- Known bad bot detection and blocking.
- Rate limiting for suspicious traffic patterns.
- Protection against automated attacks and scraping.
- Integration with Microsoft threat intelligence.
Recommendation#
Consider using both Microsoft Default Rule Set and Microsoft Bot Manager Rule Set in your WAF policy to ensure comprehensive protection against web attacks and malicious bot traffic.
Examples#
Configure with Bicep#
To deploy WAF policies that pass this rule:
- Add following managed rules sets by specifying the
properties.managedRules.managedRuleSetsproperty:- Add the
Microsoft_DefaultRuleSetversion2.1or later. - Add the
Microsoft_BotManagerRuleSetversion1.0or later.
- Add the
For example:
resource waf 'Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies@2024-10-01' = {
name: name
location: location
properties: {
managedRules: {
managedRuleSets: [
{
ruleSetType: 'Microsoft_DefaultRuleSet'
ruleSetVersion: '2.1'
}
{
ruleSetType: 'Microsoft_BotManagerRuleSet'
ruleSetVersion: '1.1'
}
]
}
policySettings: {
state: 'Enabled'
mode: 'Prevention'
}
}
}
Configure with Azure Verified Modules
A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:
To use the latest version:
Configure with Azure template#
To deploy WAF policies that pass this rule:
- Add following managed rules sets by specifying the
properties.managedRules.managedRuleSetsproperty:- Add the
Microsoft_DefaultRuleSetversion2.1or later. - Add the
Microsoft_BotManagerRuleSetversion1.0or later.
- Add the
For example:
{
"type": "Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies",
"apiVersion": "2024-10-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"managedRules": {
"managedRuleSets": [
{
"ruleSetType": "Microsoft_DefaultRuleSet",
"ruleSetVersion": "2.1"
},
{
"ruleSetType": "Microsoft_BotManagerRuleSet",
"ruleSetVersion": "1.1"
}
]
},
"policySettings": {
"state": "Enabled",
"mode": "Prevention"
}
}
}
Notes#
This rule requires both rule sets to be configured at minimum version in the WAF policy's managed rules section. The rule sets work together to provide layered security protection for your web applications.
- For
Microsoft_DefaultRuleSetuse version2.1or later. - For
Microsoft_BotManagerRuleSetuse version1.0or later.
Links#
- SE:06 Network controls
- Security: Level 2
- Securing PaaS deployments
- Web Application Firewall DRS rule groups and rules
- Bot protection overview
- Web Application Firewall best practices
- Configure WAF policies for Application Gateway
- Monitor Application Gateway WAF
- Azure deployment reference