Enable Front Door WAF policy#

Security · Front Door · Rule · 2022_09 · Critical

Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.

Description#

The operational state of a Front Door WAF policy instance is configurable, either enabled or disabled. By default, a WAF policy is enabled.

When disabled, incoming requests bypass the WAF policy and are sent to back ends based on routing rules.

Recommendation#

Consider enabling WAF policy.

Examples#

Configure with Azure template#

To deploy WAF policies that pass this rule:

Set the properties.policySettings.enabledState property to Enabled.

For example:

Azure Template snippet

{
  "type": "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies",
  "apiVersion": "2022-05-01",
  "name": "[parameters('name')]",
  "location": "Global",
  "sku": {
    "name": "Premium_AzureFrontDoor"
  },
  "properties": {
    "managedRules": {
      "managedRuleSets": [
        {
          "ruleSetType": "Microsoft_DefaultRuleSet",
          "ruleSetVersion": "2.0",
          "ruleSetAction": "Block",
          "exclusions": [],
          "ruleGroupOverrides": []
        },
        {
          "ruleSetType": "Microsoft_BotManagerRuleSet",
          "ruleSetVersion": "1.0",
          "ruleSetAction": "Block",
          "exclusions": [],
          "ruleGroupOverrides": []
        }
      ]
    },
    "policySettings": {
      "enabledState": "Enabled",
      "mode": "Prevention"
    }
  }
}

Configure with Bicep#