Use Front Door WAF policy in prevention mode#
Security · Front Door · Rule · 2022_09 · Critical
Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.
Description#
Front Door WAF policies support two modes of operation, detection and prevention. By default, prevention is configured.
- Detection - monitors and logs all requests which match a WAF rule. In this mode, the WAF doesn't take action against incoming requests. To log requests, diagnostics on the Front Door instance must be configured.
- Protection - log and takes action against requests which match a WAF rule. The action to perform is configurable for each WAF rule.
Recommendation#
Consider setting Front Door WAF policy to use protection mode.
Examples#
Configure with Azure template#
To deploy WAF policies that pass this rule:
- Set the
properties.policySettings.mode
property toPrevention
.
For example:
Azure Template snippet
{
"type": "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies",
"apiVersion": "2022-05-01",
"name": "[parameters('name')]",
"location": "Global",
"sku": {
"name": "Premium_AzureFrontDoor"
},
"properties": {
"managedRules": {
"managedRuleSets": [
{
"ruleSetType": "Microsoft_DefaultRuleSet",
"ruleSetVersion": "2.0",
"ruleSetAction": "Block",
"exclusions": [],
"ruleGroupOverrides": []
},
{
"ruleSetType": "Microsoft_BotManagerRuleSet",
"ruleSetVersion": "1.0",
"ruleSetAction": "Block",
"exclusions": [],
"ruleGroupOverrides": []
}
]
},
"policySettings": {
"enabledState": "Enabled",
"mode": "Prevention"
}
}
}
Configure with Bicep#
To deploy WAF policies that pass this rule:
- Set the
properties.policySettings.mode
property toPrevention
.
For example:
Azure Bicep snippet
resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {
name: name
location: 'Global'
sku: {
name: 'Premium_AzureFrontDoor'
}
properties: {
managedRules: {
managedRuleSets: [
{
ruleSetType: 'Microsoft_DefaultRuleSet'
ruleSetVersion: '2.0'
ruleSetAction: 'Block'
exclusions: []
ruleGroupOverrides: []
}
{
ruleSetType: 'Microsoft_BotManagerRuleSet'
ruleSetVersion: '1.0'
ruleSetAction: 'Block'
exclusions: []
ruleGroupOverrides: []
}
]
}
policySettings: {
enabledState: 'Enabled'
mode: 'Prevention'
}
}
}
Links#
- SE:06 Network controls
- Securing PaaS deployments
- Policy settings for Web Application Firewall on Azure Front Door
- Web Application Firewall best practices
- Azure deployment reference