Use Recommended Application Gateway WAF policy rule groups

Security · Application Gateway · Rule · 2024_03 · Critical

Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.

Description

Application Gateway WAF policies support two main Rule Groups.

• OWASP - Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 3.2, 3.1, 3.0. It is recommended to use the latest rule set.
• Bot protection - Enable a managed bot protection rule set to block or log requests from known malicious IP addresses.

Recommendation

Consider configuring Application Gateway WAF policy to use the recommended rule sets.

Links

• Best practices for endpoint security on Azure
• Securing PaaS deployments
• Web Application Firewall CRS rule groups and rules
• Bot protection overview
• Web Application Firewall best practices

Comments