How to identify WAF Mode which is getting used
I have enabled Prevention Mode on WAF but the logs which are captured on Application Gateway shows Detection mode instead of Prevention of the same WAF which is associated, kindly help me out to identify the mode of WAF which is been used.
Azure Application Gateway
Azure Web Application Firewall
Azure FastTrack
-
Sina Salam 3,801 Reputation points
2023-06-15T15:07:09.4366667+00:00 Welcome to Microsoft Q&A and thank you for posting your questions here!
To understand your question, you were asking reason Azure WAF showing detection mode instead of prevention mode and to identify the mode of Azure WAF which is been used.
Firstly, I have seen from your screenshot your good job, let us break it down little should there be any steps overlooked.
To identify prevention mode on Azure web application firewall, you should follow these steps:
- Sign-in to the Azure portal.
- In the left-hand menu, click on Application Gateway.
- Select your application gateway from the list.
- In the left-hand menu, click on Web application firewall.
- Click on Policy.
- Under Managed rules, click on Prevention mode.
I wanted to believe you have done it right, but note:
If prevention mode is enabled, the WAF will block intrusions and attacks that the rules detect and return a “403 unauthorized access” exception.
Read Overview and read more about Policy Setting
Now, the logs captured on the Application Gateway of Azure Web Application Firewall shows Detection mode only because the firewall log is generated only if you have enabled it for each application gateway. The web application firewall must also be configured on an application gateway.
Read more on web application firewall logs.
Also, you can enable logs to inspect what is happening with each request. Firewall logs give insight into what the WAF is evaluating, matching, and blocking. With Log Analytics, you can examine the data inside the firewall logs to give even more insights.
Read more here: https://learn.microsoft.com/en-us/azure/application-gateway/log-analytics
In summary, to identify Prevention and Detection Mode on Azure web application firewall.
Detection mode: Monitors and logs all threat alerts. You turn on logging diagnostics for Application Gateway in the Diagnostics section. You must also make sure that the WAF log is selected and turned on. Web application firewall doesn’t block incoming requests when it’s operating in Detection mode.
Read more here: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
Prevention mode: After you’ve tuned your WAF, you should configure it to run in prevention mode. By running in prevention mode, you ensure the WAF actually blocks requests that it detects are malicious. Running in detection mode is useful while you tune and configure your WAF but provides no protection.
Read more here for best practice: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/best-practices
I hope this helps you resolve your issue with Azure Logic Apps! If this answer solves your issue, please vote for it so other community members know that it is a useful answer. PS: Do not hesitate to let me know if you have any other questions.
Best Regards,
Sina
-
GitaraniSharma-MSFT 47,421 Reputation points • Microsoft Employee
2023-06-19T12:08:18.33+00:00 Hello @Priyanka Mahadik ,
Apologies for the delay in response.
Looking at your screenshots, the configuration seem fine. The WAF policy mode is set to Prevention and the listener is associated to the WAF policy but the logs seem weird. Are the logs for the same Application gateway named "AGW-Sandbox-CI"?
Also, are there any other WAF policies in the same resource group "RG-SANDBOX-CI"?
Regards,
Gita
-
Priyanka Mahadik 21 Reputation points
2023-06-20T10:59:15.2466667+00:00 Yes, the logs are of the same application gateway and there is one more WAF that is in detection mode in the same resource group.
-
GitaraniSharma-MSFT 47,421 Reputation points • Microsoft Employee
2023-06-26T12:07:47.8666667+00:00 Hello @Priyanka Mahadik , We wish to engage with you offline for a much closer look, please send an email with subject line "ATTN gishar | How to identify WAF Mode which is getting used" to AzCommunity[at]Microsoft[dot]com with the following details, I will follow-up with you.
- Reference this Q&A thread
- Your Azure Subscription ID
Note: Do not share any PII data as a public comment.
We will post a summarized answer once the issue is resolved.
Regards,
Gita
Sign in to comment