Skip to content

Use Front Door WAF policy in prevention mode#

Security · Front Door · Rule · 2022_09 · Critical

Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.

Description#

Front Door WAF policies support two modes of operation, detection and prevention. By default, prevention is configured.

  • Detection - monitors and logs all requests which match a WAF rule. In this mode, the WAF doesn't take action against incoming requests. To log requests, diagnostics on the Front Door instance must be configured.
  • Protection - log and takes action against requests which match a WAF rule. The action to perform is configurable for each WAF rule.

Recommendation#

Consider setting Front Door WAF policy to use protection mode.

Examples#

Configure with Azure template#

To deploy WAF policies that pass this rule:

  • Set the properties.policySettings.mode property to Prevention.

For example:

Azure Template snippet
{
  "type": "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies",
  "apiVersion": "2022-05-01",
  "name": "[parameters('name')]",
  "location": "Global",
  "sku": {
    "name": "Premium_AzureFrontDoor"
  },
  "properties": {
    "managedRules": {
      "managedRuleSets": [
        {
          "ruleSetType": "Microsoft_DefaultRuleSet",
          "ruleSetVersion": "2.0",
          "ruleSetAction": "Block",
          "exclusions": [],
          "ruleGroupOverrides": []
        },
        {
          "ruleSetType": "Microsoft_BotManagerRuleSet",
          "ruleSetVersion": "1.0",
          "ruleSetAction": "Block",
          "exclusions": [],
          "ruleGroupOverrides": []
        }
      ]
    },
    "policySettings": {
      "enabledState": "Enabled",
      "mode": "Prevention"
    }
  }
}

Configure with Bicep#

To deploy WAF policies that pass this rule:

  • Set the properties.policySettings.mode property to Prevention.

For example:

Azure Bicep snippet
resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {
  name: name
  location: 'Global'
  sku: {
    name: 'Premium_AzureFrontDoor'
  }
  properties: {
    managedRules: {
      managedRuleSets: [
        {
          ruleSetType: 'Microsoft_DefaultRuleSet'
          ruleSetVersion: '2.0'
          ruleSetAction: 'Block'
          exclusions: []
          ruleGroupOverrides: []
        }
        {
          ruleSetType: 'Microsoft_BotManagerRuleSet'
          ruleSetVersion: '1.0'
          ruleSetAction: 'Block'
          exclusions: []
          ruleGroupOverrides: []
        }
      ]
    }
    policySettings: {
      enabledState: 'Enabled'
      mode: 'Prevention'
    }
  }
}

Comments