Disable TCP and ICMP Timestamps on Azure Application Gateway

Hasan Shehzeb 20 Reputation points
2024-06-11T10:21:57.3466667+00:00

Hello,

I have an Application Gateway with WAFv2 that sits in front of my App Services. An audit revealed that TCP and ICMP timestamps are being disclosed. Can someone please assist me with disabling this feature? Thank you.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
988 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,164 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 48,511 Reputation points Microsoft Employee
    2024-06-11T11:29:19.8033333+00:00

    Hello @Hasan Shehzeb ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you have an Application Gateway with WAFv2 in front of your App Services and an audit revealed that TCP and ICMP timestamps are being disclosed. You would like to know if this can be disabled.

    This feature is currently not feasible.

    There is a feedback item submitted for the same in the below forum:

    https://feedback.azure.com/d365community/idea/55acd97c-8826-ec11-b6e6-000d3a4f0789

    If you believe this feature could enhance our services, I encourage you to upvote it and provide your input on the feedback portal mentioned above.

    NOTE: All the feedback shared in these forums are monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

    I also checked with the Azure App service team and below is their statement for this:

    This is a low severity warning from most security scans, and it can be safely ignored. This feature cannot and will not be disabled or changed.

    Regarding this setting in Azure which uses Windows Server, the report indicates, “TCP timestamps cannot be reliably disabled on this OS.”

    The real risk is if you don’t update your machines and the uptime indicates the server hasn’t been restarted in a long time. Azure PaaS services undergo frequent patching, and the risk is really mitigated because that host level security falls within the responsibility of Azure.

    Refer: https://learn.microsoft.com/en-us/azure/security/fundamentals/paas-deployments

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/description-tcp-features#timestamps

    https://learn.microsoft.com/en-us/answers/questions/204356/disable-tcp-timestamp

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful