Muokkaa

Jaa


Customize Web Application Firewall rules using the Azure CLI

The Azure Application Gateway Web Application Firewall (WAF) provides protection for web applications. These protections are provided by the Open Web Application Security Project (OWASP) Core Rule Set (CRS). Some rules can cause false positives and block real traffic. For this reason, Application Gateway provides the capability to customize rule groups and rules. For more information on the specific rule groups and rules, see List of Web Application Firewall CRS rule groups and rules.

View rule groups and rules

The following code examples show how to view rules and rule groups that are configurable.

View rule groups

The following example shows how to view the rule groups:

az network application-gateway waf-config list-rule-sets --type OWASP

The following output is a truncated response from the preceding example:

[
  {
    "id": "/subscriptions//resourceGroups//providers/Microsoft.Network/applicationGatewayAvailableWafRuleSets/",
    "location": null,
    "name": "OWASP_3.0",
    "provisioningState": "Succeeded",
    "resourceGroup": "",
    "ruleGroups": [
      {
        "description": "",
        "ruleGroupName": "REQUEST-910-IP-REPUTATION",
        "rules": null
      },
      ...
    ],
    "ruleSetType": "OWASP",
    "ruleSetVersion": "3.0",
    "tags": null,
    "type": "Microsoft.Network/applicationGatewayAvailableWafRuleSets"
  },
  {
    "id": "/subscriptions//resourceGroups//providers/Microsoft.Network/applicationGatewayAvailableWafRuleSets/",
    "location": null,
    "name": "OWASP_2.2.9",
    "provisioningState": "Succeeded",
    "resourceGroup": "",
   "ruleGroups": [
      {
        "description": "",
        "ruleGroupName": "crs_20_protocol_violations",
        "rules": null
      },
      ...
    ],
    "ruleSetType": "OWASP",
    "ruleSetVersion": "2.2.9",
    "tags": null,
    "type": "Microsoft.Network/applicationGatewayAvailableWafRuleSets"
  }
]

View rules in a rule group

The following example shows how to view rules in a specified rule group:

az network application-gateway waf-config list-rule-sets --group "REQUEST-910-IP-REPUTATION"

The following output is a truncated response from the preceding example:

[
  {
    "id": "/subscriptions//resourceGroups//providers/Microsoft.Network/applicationGatewayAvailableWafRuleSets/",
    "location": null,
    "name": "OWASP_3.0",
    "provisioningState": "Succeeded",
    "resourceGroup": "",
    "ruleGroups": [
      {
        "description": "",
        "ruleGroupName": "REQUEST-910-IP-REPUTATION",
        "rules": [
          {
            "description": "Rule 910011",
            "ruleId": 910011
          },
          ...
        ]
      }
    ],
    "ruleSetType": "OWASP",
    "ruleSetVersion": "3.0",
    "tags": null,
    "type": "Microsoft.Network/applicationGatewayAvailableWafRuleSets"
  }
]

Disable rules

The following example disables rules 910018 and 910017 on an application gateway:

az network application-gateway waf-config set --resource-group AdatumAppGatewayRG --gateway-name AdatumAppGateway --enabled true --rule-set-version 3.0 --disabled-rules 910018 910017

Mandatory rules

The following list contains conditions that cause the WAF to block the request while in Prevention Mode (in Detection Mode they're logged as exceptions). These conditions can't be configured or disabled:

  • Failure to parse the request body results in the request being blocked, unless body inspection is turned off (XML, JSON, form data)
  • Request body (with no files) data length is larger than the configured limit
  • Request body (including files) is larger than the limit
  • An internal error happened in the WAF engine

CRS 3.x specific:

  • Inbound anomaly score exceeded threshold

Next steps

After you configure your disabled rules, you can learn how to view your WAF logs. For more information, see Application Gateway diagnostics.