3rd Party WAF Implementation

Question

3rd Party WAF Implementation

Cobe van Coller 0

Hi all,

We have implemented the Fortinet FortiWeb Cloud WAF as a Service from the Marketplace to protect an Azure App Service. The FortiWeb has its own SSL certificate that it auto renews via Let's Encrypt. Is the certificate that was generated on the Azure app still necessary, or can it be removed without breaking anything in the process?

ajkuma 28,036 Reputation points Microsoft Employee Moderator

2023-06-29T15:34:52.4966667+00:00

@Cobe van Coller ,

Just checking in to see if you had got a chance to see the previous response. If the answer helped (pointed, you in the right direction) > please click Accept Answer Or please share the requested/more info to help you better.

1 answer

Your answer

ajkuma 28,036 Reputation points Microsoft Employee Moderator

2023-06-29T15:34:52.4966667+00:00

@Cobe van Coller ,

Just checking in to see if you had got a chance to see the previous response. If the answer helped (pointed, you in the right direction) > please click Accept Answer Or please share the requested/more info to help you better.

Answer 1

ajkuma 28,036 Microsoft Employee Moderator

@Cobe van Coller ,

Based on my understanding of the scenario from your issue description.

The <app-name>.azurewebsites.net name is always assigned to your app as long as you don't delete it. The default certificate is provided and managed by Azure.

If you’re referring to other private certificate that you added (including App Service Certificate) for securing custom domain, if you have any bindings in App Service that use this certificate, they will become invalid. So, before removing the certificate, make sure that you have updated all the bindings.

Please check the doc for the FAQ and info about custom domain bindings:

How do I make sure that the app's IP address doesn't change when I make changes to the certificate binding?

Your inbound IP address can change when you delete a binding, even if that binding is IP SSL. This is especially important when you renew a certificate that's already in an IP SSL binding. To avoid a change in your app's IP address, follow these steps in order (refer the doc):

configure-ssl-bindings#how-do-i-make-sure-that-the-apps-ip-address-doesnt-change-when-i-make-changes-to-the-certificate-binding

Just to highlight as a note - keep in mind that deleting an App Service certificate is an irreversible and final operation. So, make sure that you have a backup of the certificate before deleting it.

Kindly let us know how it goes with some more info about your exact requirement if the issue still persists.
Are you referring to this service/appp on Azure Marketplace or any other service?

Cobe van Coller 0 Reputation points

2023-07-03T09:13:15.72+00:00

Hi Ajkuma

Thank you for the response, I had a look at the setup that was done and I can see that it indeed has a private certificate that was bought through Azure and it is currently using the SNI SSL binding. The issue that sparked this situation is that every now and then we get an error message on the Azure portal that says: Failed to renew App Service Managed Certificate issues to hostname XXX.com due to error: custom domain XXX.com does not directly point to ip address xxx.xxx.xxx.xxx of website (azure app name) where it was added Current A record has (Fortiweb IP address). We want to know if this setup could potentially cause any issues or if it can cause the traffic between the Azure app and the Fortiweb firewall to not be encrypted.

Thank you
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2023-07-06T09:35:54.2666667+00:00

Apologies for the delay! Thanks for the follow-up and additional info.

Yes, it requires an A record or CNAME depending on the apex or subdomain - Create a free managed certificate |config

Just to confirm, is the Fortiweb sending the request using the custom domain or azurewebsites.net domain? If it's azurewebsites.net domain, it would be fine, but there could be issues with things like redirects etc.

Based on my understanding of your scenario/requirement, you are leveraging App Service Managed Certificate (ASMC) (there are some limitations) if required you may use App Service Certificate (ASC).

Sometimes the proxy masks the actual A record IP address and that could prevent the certificate to be renewed, as the IP address cannot be detected. You may want to turn off the proxy for a while, or upgrade to ASC.

The free App Service managed certificate (ASMC) is a turn-key solution for securing your custom DNS name in App Service. Without any action from you, this TLS/SSL server certificate is fully managed by App Service and is automatically renewed continuously in six-month increments, 45 days before expiration, as long as the prerequisites that you set up stay the same.

Kindly let us know, will follow-up with you further.

Share via

3rd Party WAF Implementation

1 answer

Your answer