Ensure Azure Application Gateway Web application firewall (WAF) is enabled¶
Description¶
Ensure Azure Application Gateway Web application firewall (WAF) is enabled. Azure Application Gateway offers a web application firewall (WAF) that provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities.
Remediation Steps¶
Azure Portal¶
Enable Application Gateway WAF configuration:
Navigate to your Application Gateway
Under Settings, select Web application firewall
Under the Configure tab:
Ensure Tier is set to WAF
Ensure Firewall status is set to Enabled
Select the appropriate Firewall mode to your requirements
Under the Rules tab:
Select the appropriate Rule set according to your requirements
Click Save
Azure CLI¶
Update an existing Application Gateway to enable WAF configuration:
az network application-gateway update --resource-group <resource-group-name> --name <application-gateway-name> --sku <WAF_Large|WAF_Medium|WAF_v2>
az network application-gateway waf-config set --resource-group <resource-group-name> --gateway-name <application-gateway-name> --enabled true --firewall-mode <Detection|Prevention> --rule-set-version 3.0
Azure Resource Manager¶
Ensure that a Microsoft.Network/applicationGateways resource contains the following, where
tier
is set toWAF
orWAF_v2
:
{
"properties": {
"sku": {
"tier": "WAF_v2"
},
"webApplicationFirewallConfiguration": {
"enabled": true
}
}
}
Example Configuration¶
{
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2021-03-01",
"properties": {
"sku": {
"tier": "WAF_v2"
},
"webApplicationFirewallConfiguration": {
"enabled": true
}
}
# other required fields here
}
Terraform¶
Ensure that an azurerm_application_gateway contains the following:
sku.tier
= “WAF” or “WAFv2”waf_configuration.enabled
= true
Example Configuration¶
resource "azurerm_application_gateway" "example" {
sku {
tier = "WAF"
}
waf_configuration {
enabled = true
}
}