Azure WAF is very restricting

David Vanden Bussche 25 Reputation points
2023-12-08T09:43:45.74+00:00

Hi

In our Azure config, we have an ApplicationGW+WAF in front of APIM.

So all external requests pass through the WAF before routing towards APIM.

The WAF (owasp rules) seem to be very very restrictive.

We get a lot of blocked requests due to rule violations.

We have implemented exclusions on the managed rules to tackle those blocked requests. However in a long term this doesn't feels like a best practice since requests get blocked for very simple data requests.

for example when in a payload we have an element for 'city' and a value of 'Sint-Job-in-'t-Goor' ( =a city in Belgium) it get's blocked (ruleid : 942370) , just because there is a ' in the value.

If we need to exclude all those elements that can have a non-standard-character we need to exclude everything

So is there another best-practice to configure WAF to make it less restrictive or smarter in it's rule validations ?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,171 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
678 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,079 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Luis Arias 7,121 Reputation points
    2023-12-08T14:34:17.7733333+00:00

    Hi David Vanden Bussche,

    There are some best prractice recomended by Microsoft to avoid this problems by enable Detection Mode and Prevention Mode upon firewall at first intance. It's required

    In Detection mode, WAF doesn't block any requests. Instead, the matching WAF rules are logged in the WAF logs. To see WAF in action, you can change the mode settings to Prevention. https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/create-waf-policy-ag#configure-waf-rules-optional

    So, Resuming here the best practice to tune your waf on azure (https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/best-practices):

    1. Use WAF policies for managing your Application Gateway WAF.
    2. WAF Tunning: If you don’t tune your WAF, it might accidentally block requests that should be allowed. Tuning involve creating rule exclusions to reduce false positive detections. a. Use detection mode which logs requests and the actions the WAF would normally take. Consider that detection mode is useful for testing purposes but it provides no protection. It logs the traffic, but it doesn't take any actions such as allow or deny. b. Use prevention mode to ensure the WAF actually blocks requests that it detects as malicious.
    3. Define your WAF configuration as code defining your rule exclusions and other configurations as code to avoid manual reconfiguration.

    Across this process is important to understand WAF Logs to improve yor operation(

    https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot#understanding-waf-logs)

    Additional helpful documentation

    Let me know anything else.

    Luis,


    If the information helped address your question, please Accept the answer.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.