Share via

Azure WAF matched traffic, is it allowed or blocked?

Samar Masood Khan 20 Reputation points
2023-06-16T14:50:06.07+00:00

Hi team,

Azure WAF uses CRS for anomaly scoring.

Traffic that matches any rule isn't immediately blocked, even when your WAF is in prevention mode.

Does this mean if a particular traffic doesn't reach a score of 5 and above , the traffic is allowed via the WAF?

And any traffic which shows matched is always allowed ?

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,217 questions
Azure Web Application Firewall

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
    2023-06-19T11:27:07.4166667+00:00

    Hello @Samar Masood Khan ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to understand if Azure WAF matched traffic is allowed or blocked.

    As mentioned in the Azure WAF doc,

    The message that's logged when a WAF rule matches traffic includes the action value "Matched." If the total anomaly score of all matched rules is 5 or greater, and the WAF policy is running in Prevention mode, the request will trigger a mandatory anomaly rule with the action value "Blocked" and the request will be stopped.

    As a WAF parses a request through the multiple WAF rules that make up the CRS, it keeps track of the rules that fire and adds the score of each rule to compute the total anomaly score for a request. The WAF will then compare the request anomaly score with an inbound risk score rule threshold. If the score exceeded, the request is more likely to be malicious, otherwise the request is judged to be safe.

    Specific packets may hit one or more rules on the WAF. Each rule being hit has a different "Severity". If a packet is hitting more than one rule, the anomaly score of each of these rules is taken into account, and the sum is calculated and if the sum exceeds 5 points, the packet/request is blocked.

    So, you cannot look at a single Matched log to find if it was allowed/blocked.

    You can understand the WAF logs better by referring to the below doc:

    https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot#understanding-waf-logs

    You should filter your Azure WAF logs using the transactionId parameter. transactionId is an Unique ID for a given transaction which helps group multiple rule violations that occurred within the same request.

    Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-logs#firewall-log

    AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| where transactionId == "16861477007022634343" <--- replace this GUID with the one in your log.

    If the same transactionId shows hit by more than one WAF rules and shows matched in the initial logs, WAF will calculate the sum of all the rules hit and if the sum exceeds 5 points, the packet/request will be blocked. You can also see the request being blocked in the filtered logs.

    But if the transactionId shows only hit by a single WAF rule whose anomaly score is less than 5, then it is allowed.

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    5 people found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.