แก้ไข

แชร์ผ่าน


Configure a WAF policy by using Azure PowerShell

A web application firewall (WAF) policy defines the inspections that are required when a request arrives at Azure Front Door.

This article shows how to configure a WAF policy that consists of some custom rules and has the Azure-managed Default Rule Set enabled.

If you don't have an Azure subscription, create a free account before you begin.

Prerequisites

Before you begin to set up a rate limit policy, set up your PowerShell environment and create an Azure Front Door profile.

Set up your PowerShell environment

Azure PowerShell provides a set of cmdlets that use the Azure Resource Manager model for managing your Azure resources.

You can install Azure PowerShell on your local machine and use it in any PowerShell session. Follow the instructions on the page to sign in with your Azure credentials. Then install the Az PowerShell module.

Sign in to Azure

Connect-AzAccount

Before you install the Azure Front Door module, make sure you have the current version of PowerShellGet installed. Run the following command and reopen PowerShell.

Install-Module PowerShellGet -Force -AllowClobber

Install the Az.FrontDoor module

Install-Module -Name Az.FrontDoor

Create an Azure Front Door profile

Create an Azure Front Door profile by following the instructions described in Quickstart: Create an Azure Front Door profile.

Custom rule based on HTTP parameters

The following example shows how to configure a custom rule with two match conditions by using New-AzFrontDoorWafMatchConditionObject. Requests are from a specified site as defined by referrer, and the query string doesn't contain password.

$referer = New-AzFrontDoorWafMatchConditionObject -MatchVariable RequestHeader -OperatorProperty Equal -Selector "Referer" -MatchValue "www.mytrustedsites.com/referpage.html"
$password = New-AzFrontDoorWafMatchConditionObject -MatchVariable QueryString -OperatorProperty Contains -MatchValue "password"
$AllowFromTrustedSites = New-AzFrontDoorWafCustomRuleObject -Name "AllowFromTrustedSites" -RuleType MatchRule -MatchCondition $referer,$password -Action Allow -Priority 1

Custom rule based on an HTTP request method

Create a rule blocking a PUT method by using New-AzFrontDoorWafCustomRuleObject.

$put = New-AzFrontDoorWafMatchConditionObject -MatchVariable RequestMethod -OperatorProperty Equal -MatchValue PUT
$BlockPUT = New-AzFrontDoorWafCustomRuleObject -Name "BlockPUT" -RuleType MatchRule -MatchCondition $put -Action Block -Priority 2

Create a custom rule based on size constraint

The following example creates a rule blocking requests with a URL that's longer than 100 characters by using Azure PowerShell.

$url = New-AzFrontDoorWafMatchConditionObject -MatchVariable RequestUri -OperatorProperty GreaterThanOrEqual -MatchValue 100
$URLOver100 = New-AzFrontDoorWafCustomRuleObject -Name "URLOver100" -RuleType MatchRule -MatchCondition $url -Action Block -Priority 3

Add a managed Default Rule Set

The following example creates a managed Default Rule Set by using Azure PowerShell.

$managedRules =  New-AzFrontDoorWafManagedRuleObject -Type DefaultRuleSet -Version 1.0

Configure a security policy

Find the name of the resource group that contains the Azure Front Door profile by using Get-AzResourceGroup. Next, configure a security policy with created rules in the previous steps by using New-AzFrontDoorWafPolicy in the specified resource group that contains the Azure Front Door profile.

$myWAFPolicy=New-AzFrontDoorWafPolicy -Name $policyName -ResourceGroupName $resourceGroupName -Customrule $AllowFromTrustedSites,$BlockPUT,$URLOver100 -ManagedRule $managedRules -EnabledState Enabled -Mode Prevention

Link the security policy object to an existing Azure Front Door front-end host and update Azure Front Door properties. First, retrieve the Azure Front Door object by using Get-AzFrontDoor. Next, set the front-end WebApplicationFirewallPolicyLink property to the resourceId of the $myWAFPolicy$ created in the previous step by using Set-AzFrontDoor.

Note

For Azure Front Door Standard and Premium, you should use Get-AzFrontDoorCdnProfile.

The following example uses the resource group name myResourceGroupFD1 with the assumption that you've created the Azure Front Door profile by using instructions provided in Quickstart: Create an Azure Front Door. Also, in the following example, replace $frontDoorName with the name of your Azure Front Door profile.

   $FrontDoorObjectExample = Get-AzFrontDoor `
     -ResourceGroupName myResourceGroupFD1 `
     -Name $frontDoorName
   $FrontDoorObjectExample[0].FrontendEndpoints[0].WebApplicationFirewallPolicyLink = $myWAFPolicy.Id
   Set-AzFrontDoor -InputObject $FrontDoorObjectExample[0]

Note

You only need to set the WebApplicationFirewallPolicyLink property once to link a security policy to an Azure Front Door front end. Subsequent policy updates are automatically applied to the front end.

Next steps