Ensure Azure Application Gateway Web application firewall (WAF) is enabled

Description

Ensure Azure Application Gateway Web application firewall (WAF) is enabled. Azure Application Gateway offers a web application firewall (WAF) that provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities.

Remediation Steps

Azure Portal

Enable Application Gateway WAF configuration:

  • Navigate to your Application Gateway

  • Under Settings, select Web application firewall

  • Under the Configure tab:

    • Ensure Tier is set to WAF

    • Ensure Firewall status is set to Enabled

    • Select the appropriate Firewall mode to your requirements

  • Under the Rules tab:

    • Select the appropriate Rule set according to your requirements

  • Click Save

Azure CLI

  • Update an existing Application Gateway to enable WAF configuration:

    • az network application-gateway update --resource-group <resource-group-name> --name <application-gateway-name> --sku <WAF_Large|WAF_Medium|WAF_v2>

    • az network application-gateway waf-config set --resource-group <resource-group-name> --gateway-name <application-gateway-name> --enabled true --firewall-mode <Detection|Prevention> --rule-set-version 3.0

Azure Resource Manager

{
  "properties": {
    "sku": {
      "tier": "WAF_v2"
    },
    "webApplicationFirewallConfiguration": {
      "enabled": true
    }
  }
}

Example Configuration

{
  "type": "Microsoft.Network/applicationGateways",
  "apiVersion": "2021-03-01",
  "properties": {
    "sku": {
      "tier": "WAF_v2"
    },
    "webApplicationFirewallConfiguration": {
      "enabled": true
    }
  }
  # other required fields here
}

Terraform

  • Ensure that an azurerm_application_gateway contains the following:

    • sku.tier = “WAF” or “WAFv2”

    • waf_configuration.enabled = true

Example Configuration

resource "azurerm_application_gateway" "example" {
  sku {
    tier = "WAF"
  }

  waf_configuration {
    enabled = true
  }
}