Skip to content

Use Recommended Front Door WAF policy rule groups#

Security · Front Door · Rule · 2022_09 · Critical

Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.

Description#

Front Door WAF policies support two main Rule Groups.

  • OWASP - Front Door web application firewall (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 3.2, 3.1, 3.0. It is recommended to use the latest rule set.
  • Bot protection - Enable a managed bot protection rule set to block or log requests from known malicious IP addresses.

Recommendation#

Consider configuring Front Door WAF policy to use the recommended rule sets.

Examples#

Configure with Azure template#

To deploy WAF policies that pass this rule:

  • Add the Microsoft_DefaultRuleSet rule set to the properties.managedRules.managedRuleSets property.
    • Use the rule set version 2.0 or greater.
  • Add the Microsoft_BotManagerRuleSet rule set to the properties.managedRules.managedRuleSets property.
    • Use the rule set version 1.0 or greater.

For example:

Azure Template snippet
{
  "type": "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies",
  "apiVersion": "2022-05-01",
  "name": "[parameters('name')]",
  "location": "Global",
  "sku": {
    "name": "Premium_AzureFrontDoor"
  },
  "properties": {
    "managedRules": {
      "managedRuleSets": [
        {
          "ruleSetType": "Microsoft_DefaultRuleSet",
          "ruleSetVersion": "2.0",
          "ruleSetAction": "Block",
          "exclusions": [],
          "ruleGroupOverrides": []
        },
        {
          "ruleSetType": "Microsoft_BotManagerRuleSet",
          "ruleSetVersion": "1.0",
          "ruleSetAction": "Block",
          "exclusions": [],
          "ruleGroupOverrides": []
        }
      ]
    },
    "policySettings": {
      "enabledState": "Enabled",
      "mode": "Prevention"
    }
  }
}

Configure with Bicep#

To deploy WAF policies that pass this rule:

  • Add the Microsoft_DefaultRuleSet rule set to the properties.managedRules.managedRuleSets property.
    • Use the rule set version 2.0 or greater.
  • Add the Microsoft_BotManagerRuleSet rule set to the properties.managedRules.managedRuleSets property.
    • Use the rule set version 1.0 or greater.

For example:

Azure Bicep snippet
resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {
  name: name
  location: 'Global'
  sku: {
    name: 'Premium_AzureFrontDoor'
  }
  properties: {
    managedRules: {
      managedRuleSets: [
        {
          ruleSetType: 'Microsoft_DefaultRuleSet'
          ruleSetVersion: '2.0'
          ruleSetAction: 'Block'
          exclusions: []
          ruleGroupOverrides: []
        }
        {
          ruleSetType: 'Microsoft_BotManagerRuleSet'
          ruleSetVersion: '1.0'
          ruleSetAction: 'Block'
          exclusions: []
          ruleGroupOverrides: []
        }
      ]
    }
    policySettings: {
      enabledState: 'Enabled'
      mode: 'Prevention'
    }
  }
}

Comments