Frequently asked questions for Azure Web Application Firewall on Application Gateway

This article answers common questions about Azure Web Application Firewall (WAF) on Application Gateway features and functionality.

What is Azure WAF?

Azure WAF is a web application firewall that helps protect your web applications from common threats such as SQL injection, cross-site scripting, and other web exploits. You can define a WAF policy consisting of a combination of custom and managed rules to control access to your web applications.

An Azure WAF policy can be applied to web applications hosted on Application Gateway or Azure Front Door.

What features does the WAF SKU support?

The WAF SKU supports all the features available in the Standard SKU.

How do I monitor WAF?

Monitor WAF through diagnostic logging. For more information, see Diagnostic logging and metrics for Application Gateway.

Does detection mode block traffic?

No. Detection mode only logs traffic that triggers a WAF rule.

Can I customize WAF rules?

Yes. For more information, see Customize WAF rule groups and rules.

What rules are currently available for WAF?

WAF currently supports CRS 3.2, 3.1 and 3.0. These rules provide baseline security against most of the top 10 vulnerabilities that Open Web Application Security Project (OWASP) identifies:

  • SQL injection protection
  • Cross-site scripting protection
  • Protection against common web attacks such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion attack
  • Protection against HTTP protocol violations
  • Protection against HTTP protocol anomalies such as missing host user-agent and accept headers
  • Prevention against bots, crawlers, and scanners
  • Detection of common application misconfigurations (that is, Apache, IIS, and so on)

For more information, see OWASP top 10 vulnerabilities.

CRS 2.2.9 is no longer supported for new WAF policies. We recommend you upgrade to the latest CRS version. CRS 2.2.9 can't be used along with CRS 3.2/DRS 2.1 and greater versions.

What content types does WAF support?

Application Gateway WAF supports the following content types for managed rules:

  • application/json
  • application/xml
  • application/x-www-form-urlencoded
  • multipart/form-data

And for custom rules:

  • application/x-www-form-urlencoded
  • application/soap+xml, application/xml, text/xml
  • application/json
  • multipart/form-data

Does WAF support DDoS protection?

Yes. You can enable DDoS protection on the virtual network where the application gateway is deployed. This setting ensures that the Azure DDoS Protection service also protects the application gateway virtual IP (VIP).

Does WAF store customer data?

No, WAF doesn't store customer data.

How does the Azure WAF work with WebSockets?

Azure Application Gateway natively supports WebSocket. WebSocket on Azure WAF on Azure Application Gateway doesn't require any extra configuration to work. However, WAF doesn't inspect the WebSocket traffic. After the initial handshake between client and server, the data exchange between client and server can be of any format, for example binary or encrypted. So Azure WAF can't always parse the data, it just acts as a pass-through proxy for the data.

For more information, see Overview of WebSocket support in Application Gateway.

Next steps