Does it worth using WAF policies?

JMN-2253 596 Reputation points
2022-09-08T21:05:34.697+00:00

I am working with a big customer.

We are deploying AG + WAF.

The amount of reported blocked requests are not normal.

Customer is surprised as his code is not really bad.

Do we know any tool MS or 3rd party to inspect their websites to proof that WAF is doing his job, and the websites codes are bad?

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,049 questions
Azure Web Application Firewall
{count} votes

Accepted answer
  1. David Broggy 5,716 Reputation points MVP
    2022-09-08T21:25:43.463+00:00

    Hi Jan!

    afaik Microsoft does not have a web application testing tool.

    I work for a company that offers that service, so if there was a Microsoft 'professional' tool we'd probably be using it.

    If you google/Bing "web application testing tool free" you'll get plenty of hits.

    Microsoft's WAF is based on Mod_Security - it can generate a lot of false positives, and it does have a learning curve if you want to really understand it.

    WAF is the way to go if you need surgical blocking at the DOM level.

    But don't expect WAF to work well unless you understand exactly what the enabled rules are doing. (respectfully speaking!)


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.