azure application gateway waf v2

Question

azure application gateway waf v2

Shum Kenneth 51

I have set a waf to protect the backend website. I want to allow only certain IPs to access the backend, but want the traffic to be 'scanned' by the managed rules too.

I used custom rules to allow the ip and block everything else. Then I found the traffic will be exempted from the managed rulesets too. Is there workaround?

KapilAnanth 49,851 Reputation points Moderator

2023-08-17T09:25:56.9366667+00:00
@Shum Kenneth

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to allow a bunch of IPs and also let the Managed Rules process them.

This can be achieved by modifying your Custom Rules Implementation.

Rather than Allowing certain IPs , block the IPs that do not match this certain IPs.

However, I am currently not sure if this will be a terminating Rule for IPs that did not match the WAF condition (in this case, this is the IPs you want to access the AppGW)

I shall check internally and see if this is achievable.

Meanwhile, you can create a rule as described above and try to simulate a attack from one of the allowed IPs(from IPs which you want to have access)

This should tell us if Managed Rules process it or not.

Cheers,

Kapil
Shum Kenneth 51 Reputation points

2023-08-17T10:02:09.8+00:00
Thank you for your replies, kapil.

My WAF is watching over two websites.

One website I want allow all IPs, this one I use header to control, once header contain a host field of website.example.com (eg.) will let through.

The other website I want to allow only listed IPs.

So, the result custom rules are like below:

if host header contains "website.example.com" -> allow

if ip contains 1.2.3.4 -> allow

if ip contains 1.3.4.5 -> allow

block everything else

I want the managed rules to also scan for scenario 1, 2, and 3.

Answer accepted by question author

0 additional answers

Your answer

KapilAnanth 49,851 Reputation points Moderator

2023-08-17T09:25:56.9366667+00:00

@Shum Kenneth

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to allow a bunch of IPs and also let the Managed Rules process them.

This can be achieved by modifying your Custom Rules Implementation.

Rather than Allowing certain IPs , block the IPs that do not match this certain IPs.

However, I am currently not sure if this will be a terminating Rule for IPs that did not match the WAF condition (in this case, this is the IPs you want to access the AppGW)

I shall check internally and see if this is achievable.

Meanwhile, you can create a rule as described above and try to simulate a attack from one of the allowed IPs(from IPs which you want to have access)

This should tell us if Managed Rules process it or not.

Cheers,

Kapil
Shum Kenneth 51 Reputation points

2023-08-17T10:02:09.8+00:00

Thank you for your replies, kapil.

My WAF is watching over two websites.

One website I want allow all IPs, this one I use header to control, once header contain a host field of website.example.com (eg.) will let through.

The other website I want to allow only listed IPs.

So, the result custom rules are like below:

if host header contains "website.example.com" -> allow

if ip contains 1.2.3.4 -> allow

if ip contains 1.3.4.5 -> allow

block everything else

I want the managed rules to also scan for scenario 1, 2, and 3.

Answer 1

@Shum Kenneth

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to allow a bunch of IPs and also let the Managed Rules process them.

This can be achieved by modifying your Custom Rules Implementation.

Rather than Allowing certain IPs , block the IPs that do not match this certain IPs.

Requirement:

if host header contains "website.example.com" -> allow
if ip contains 1.2.3.4 -> allow
if ip contains 1.3.4.5 -> allow
block everything else

Observation:

You should combine Rule 2 and 3 into a single one.
I don't think you can combine the requirement of having
- host header with any IP for site 1
  - and only certain IPs for site2
    - and still make the rule be processed by Managed Rules.
Instead you should consider having individual WAFs for individual sites, i.e, Listeners
Refer : Per-site WAF policies

By applying WAF policies to a listener, you can configure WAF settings for individual sites without the changes affecting every site. The most specific policy takes precedent. If there's a global policy, and a per-site policy (a WAF policy associated with a listener), then the per-site policy overrides the global WAF policy for that listener. Other listeners without their own policies will only be affected by the global WAF policy.

Implementation:

If does not Contain ------> DENY
- This means, If contains ------> let it be processed by next rules and then Managed Rules
This will DENY every IP that is not 1.2.3.4 or 1.3.4.5
And for IPs 1.2.3.4 or 1.3.4.5, this Custom Rule will not interact with the request at all and let the Managed Rules process the request.

For Host Header,

You should create a new WAF Policy and associate this to the site1 (which requires HOST Header Filtering)
For Host header, the logic is same as above

Hope this helps.

Thanks,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

Shum Kenneth 51 Reputation points

2023-08-18T06:29:25.32+00:00

thank you, Kapil.

That looks promising, I will give it a try.

Share via

azure application gateway waf v2

0 additional answers

Your answer