Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,014 questions
Are there any best practices to enable application encryption with Azure WAF
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 74%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Pathiyanathan, Magimaicharles (Cognizant)
5
Reputation points
We have a web application that is hosted on Azure Linux VMs and employs app gateway WAF v2 in the front end, as well as a key cloak service that is integrated with Azure AD for sign-in.
After enabling encryption (EncryptInputParameter= “true”) in the application code (Dotnet), we are unable to sign in to our application. WAF was blocking legitimate requests after enabling encryption.
We have created custom rules in WAF (Azure App Gateway WAFv2) to whitelist the impacted URLs from WAF checking. So these requests will not be monitored by WAF in the future.
I'm not sure which is the right method or how it will impact our application security standard. Also, please suggest if there is any alternative solution to enable application encryption with Azure WAF.
{count} votes
-
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee2023-01-17T06:46:20.2266667+00:00 Hi @Magimaicharles ,
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to understand about WAF.
Ideally, there are three ways to overcome a false positive,
There is no general configuration that works for every case use-case/scenario.
You have to check the WAF logs and figure out what are the exact rules that are triggered for your set-up when you enable encryption.
And the, create an exclusion based on why the rule is getting triggered.
In case you are allowing every request to the URL, then you should tune the WAF to allow only valid requests.
Kindly let us know if the above helps.
Thanks,
Kapil
-
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee
2023-01-18T04:35:48.8733333+00:00 May I know if you got a chance to review my previous comment?
Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.
Thanks,
Kapil
-
Pathiyanathan, Magimaicharles (Cognizant) 5 Reputation points
2023-01-18T14:13:01.5066667+00:00 I appreciate your input. Here are our findings about this case.
Disable Rule: We discovered that WAF is blocking our login requests because they violate rules 200002 and 200003. We can disable the rule for this fault positive alert, but doing so increases the possibility of allowing malicious future requests related to this rule set, so we skip this option and continue with exclusion.
Create Exclusion: In our scenario, when this option is enabled (EncryptInputParameter = "true"), all of our input values are encrypted (as random characters in the request payload), thus we don't have a specific parameter to exclude.
So I decided to create a custom rule in WAF to permit the traffic for the request URLs.
Share with us any alternative solutions for enabling application encryption with Azure WAF.
-
Pathiyanathan, Magimaicharles (Cognizant) 5 Reputation points
2023-01-20T09:44:25.72+00:00 Could you please provide me with an update on the above comment.
Thanks,
Magimaicharles
-
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee
2023-01-20T14:07:37.86+00:00 Greetings.
Encrypting your traffic limits Azure WAF to inspect the parameters.
I am afraid I do not see a way where WAF can be configured to inspect an encrypted packet (i.e. encrypted by application and not by platform).
In case you are using just TLS termination or End-to-End TLS , it is possible for the WAF to decrypt and inspect the traffic.
Since this encryption comes from your backend and platform not having visibility, this won't be feasible.
Thanks,
Kapil.
Sign in to comment