Azure Gateway WAF policy does not work with Application Gateway

Frank Schullerer 141 Reputation points
2022-02-11T12:09:18.137+00:00

Hey,

if I create a application gateway directly with a WAF V2 configuration like here:

173582-bildschirmfoto-2022-02-11-um-124246.png

malicious requests are blocked with http code 403 like expected (also seen in logs). Everything works.

But if I create a "Application Gateway WAF policy" and connect it to a Application Gateway like here:

173554-bildschirmfoto-2022-02-11-um-124152.png

173585-bildschirmfoto-2022-02-11-um-124212.png

absolutley nothing is blocked (tested with same requets)
and also no block message in the logs. Can someone please give me a hint what I am doing wrong?

Thanks in advance

Frank

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
960 questions
0 comments
Accepted answer
  1. ChaitanyaNaykodi-MSFT 23,031 Reputation points Microsoft Employee
    2022-02-15T06:20:57.88+00:00

    Hello @Frank Schullerer , If I have understood the question correctly, you have associated a WAF policy to your application gateway, but neither of the requests are blocked and no block messages are logged. This issue might be because the WAF policy is not correctly associated properly with App Gateway.

    As per the documentation here the new WAF Policy associated with Ap Gateway must be exactly the same as the current WAF config, meaning every custom rule, exclusion, disabled rule, etc. must be copied into the new Policy you are creating. Once you have a Policy associated with your Application Gateway, then you can continue to make changes to your WAF rules and settings.

    If you don't want to copy everything into a policy that is exactly the same as your current config, you can set the WAF into "force" mode. If this is the case, you run below PowerShell commands and see if the policy is then associated correctly. 

       $appgw = Get-AzApplicationGateway -Name <your Application Gateway name> -ResourceGroupName <your Resource Group name>  
   $appgw.ForceFirewallPolicyAssociation = $true  
  
   $gw = Get-AzApplicationGateway -Name <your Application Gateway name> -ResourceGroupName <your Resource Group name>  
   $policy = Get-AzApplicationGatewayFirewallPolicy -Name <WAF policy name> -ResourceGroupName <your Resource Group name>  
   Set-AzApplicationGatewayFirewallPolicy -InputObject $policy  
   $gw.FirewallPolicy = $policy  
   Set-AzApplicationGateway -ApplicationGateway $gw

    Hope this helps! Please let me know if the issue still persists, I will be glad to continue with our discussion. Thank you!

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest