Azure 應用程式閘道 Web 應用程式防火牆 (WAF) 中的 Azure 受控 預設規則集 (DRS) 可保護 Web 應用程式免於常見弱點和惡意探索,包括 OWASP 前 10 名攻擊類型。 默認規則集也會納入 Microsoft 威脅情報收集規則。 建議您一律執行 最新的規則集版本,其中包括最新的安全性更新、規則增強功能和修正。
Azure 受控預設規則集 (DRS) 是 Azure WAF 中最新一代的規則集,取代所有先前的核心規則集 (CRS) 版本。 在 DRS 版本中,請一律使用可用的最高版本 (例如,發行時的 DRS 2.2),以確保您擁有最 up-to的保護。
本文提供將 Azure WAF 原則升級至 DRS 2.1 的 PowerShell 範例。 雖然這些範例專門參考了 DRS 2.1,但您應該始終升級到最新的可用 DRS 版本,以確保最大程度的保護。
備註
PowerShell 程式碼片段只是範例。 將所有預留位置取代為環境中的值。
先決條件
具有有效訂閱的 Azure 帳戶。 免費建立帳戶。
套用核心規則集 (CRS) 或預設規則集 (DRS) 的現有 Azure WAF 原則。 如果您還沒有 WAF 原則,請參閱 建立應用程式閘道的 Web 應用程式防火牆原則。
本 機安裝的最新版本 Azure PowerShell。 本文需要 Az.Network 模組。
升級時的關鍵考量
升級 Azure WAF 規則集版本時,請務必:
保留現有的自訂:繼承您的規則動作覆寫、規則狀態 (啟用/停用) 覆寫和排除。
安全地驗證新規則:確保新新增的規則最初設定為 日誌模式,以便您可以在啟用封鎖之前監控其影響並微調它們。
準備您的環境和變數
設定所選訂用帳戶、資源群組和 Azure WAF 原則的內容。
Import-Module Az.Network Set-AzContext -SubscriptionId "<subscription_id>" $resourceGroupName = "<resource_group>" $wafPolicyName = "<policy_name>"取得 WAF 原則物件並擷取其定義。
$wafPolicy = Get-AzApplicationGatewayFirewallPolicy ` -Name $wafPolicyName ` -ResourceGroupName $resourceGroupName $currentExclusions = $wafPolicy.ManagedRules.Exclusions $currentManagedRuleset = $wafPolicy.ManagedRules.ManagedRuleSets | Where-Object { $_.RuleSetType -eq "OWASP" } $currentVersion = $currentManagedRuleset.RuleSetVersion
保留現有的自訂
請勿複製適用於 DRS 2.1 中移除規則的覆寫或排除項目。 下列函式會檢查規則是否已移除:
function Test-RuleIsRemovedFromDRS21 { param ( [string]$RuleId, [string]$CurrentRulesetVersion ) $removedRulesByCrsVersion = @{ "3.0" = @( "200004", "913100", "913101", "913102", "913110", "913120", "920130", "920140", "920250", "921100", "800100", "800110", "800111", "800112", "800113" ) "3.1" = @( "200004", "913100", "913101", "913102", "913110", "913120", "920130", "920140", "920250", "800100", "800110", "800111", "800112", "800113", "800114" ) "3.2" = @( "200004", "913100", "913101", "913102", "913110", "913120", "920250", "800100", "800110", "800111", "800112", "800113", "800114" ) } # If the version isn't known, assume rule has not been removed if (-not $removedRulesByCrsVersion.ContainsKey($CurrentRulesetVersion)) { return $false } return $removedRulesByCrsVersion[$CurrentRulesetVersion] -contains $RuleId }建立新的覆寫物件時,請使用 DRS 2.1 群組名稱。 下列函式會將舊版 CRS 群組名稱對映至 DRS 2.1 群組:
function Get-DrsRuleGroupName { param ( [Parameter(Mandatory = $true)] [string]$SourceGroupName ) $groupMap = @{ "REQUEST-930-APPLICATION-ATTACK-LFI" = "LFI" "REQUEST-931-APPLICATION-ATTACK-RFI" = "RFI" "REQUEST-932-APPLICATION-ATTACK-RCE" = "RCE" "REQUEST-933-APPLICATION-ATTACK-PHP" = "PHP" "REQUEST-941-APPLICATION-ATTACK-XSS" = "XSS" "REQUEST-942-APPLICATION-ATTACK-SQLI" = "SQLI" "REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" = "FIX" "REQUEST-944-APPLICATION-ATTACK-JAVA" = "JAVA" "REQUEST-921-PROTOCOL-ATTACK" = "PROTOCOL-ATTACK" "REQUEST-911-METHOD-ENFORCEMENT" = "METHOD-ENFORCEMENT" "REQUEST-920-PROTOCOL-ENFORCEMENT" = "PROTOCOL-ENFORCEMENT" "REQUEST-913-SCANNER-DETECTION" = $null # No direct mapping "Known-CVEs" = "MS-ThreatIntel-CVEs" "General" = "General" } if ($groupMap.ContainsKey($SourceGroupName)) { return $groupMap[$SourceGroupName] } else { return $SourceGroupName # No known mapping } }使用下列 PowerShell 程式碼來定義規則的覆寫,從現有的規則集版本複製覆寫:
$groupOverrides = @() foreach ($group in $currentManagedRuleset.RuleGroupOverrides) { $mappedGroupName = Get-DrsRuleGroupName $group.RuleGroupName foreach ($existingRule in $group.Rules) { if (-not (Test-RuleIsRemovedFromDRS21 $existingRule.RuleId $currentVersion)) { `$existingGroup = $groupOverrides | Where-Object { $_.RuleGroupName -eq $mappedGroupName } if ($existingGroup) { if (-not ($existingGroup.Rules | Where-Object { $_.RuleId -eq $existingRule.RuleId })) { $existingGroup.Rules.Add($existingRule) } } else { $newGroup = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride ` -RuleGroupName $mappedGroupName ` -Rule @($existingRule) $groupOverrides += $newGroup } } } }使用下列 PowerShell 程式碼複製現有的排除項目,並將其套用至 DRS 2.1:
# Create new exclusion objects $newRuleSetExclusions = @() if ($currentExclusions -ne $null -and $currentExclusions.Count -gt 0) { foreach ($exclusion in $currentExclusions) { $newExclusion = New-AzApplicationGatewayFirewallPolicyExclusion ` -MatchVariable $exclusion.MatchVariable ` -SelectorMatchOperator $exclusion.SelectorMatchOperator ` -Selector $exclusion.Selector # Migrate scopes: RuleSet, RuleGroup, or individual Rules if ($exclusion.ExclusionManagedRuleSets) { foreach ($scope in $exclusion.ExclusionManagedRuleSets) { # Create RuleGroup objects from existing RuleGroups $ruleGroups = @() foreach ($group in $scope.RuleGroups) { $drsGroupName = Get-DrsRuleGroupName $group.RuleGroupName if ($drsGroupName) { $exclusionRules = @() foreach ($rule in $group.Rules) { if (-not (Test-RuleIsRemovedFromDRS21 $rule.RuleId "3.2")) { $exclusionRules += New-AzApplicationGatewayFirewallPolicyExclusionManagedRule ` -RuleId $rule.RuleId } } if ($exclusionRules -ne $null -and $exclusionRules.Count -gt 0) { $ruleGroups += New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleGroup ` -Name $drsGroupName ` -Rule $exclusionRules } else { $ruleGroups += New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleGroup ` -Name $drsGroupName } } } # Create the ManagedRuleSet scope object with the updated RuleGroups if ($ruleGroups.Count -gt 0) { $newRuleSetScope = New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleSet ` -Type "Microsoft_DefaultRuleSet" ` -Version "2.1" ` -RuleGroup $ruleGroups } # Add to the new exclusion object $newExclusion.ExclusionManagedRuleSets += $newRuleSetScope } } if (-not $newExclusion.ExclusionManagedRuleSets) { $newExclusion.ExclusionManagedRuleSets = @() } $newRuleSetExclusions += $newExclusion } }
安全地驗證新規則
升級時,新的 DRS 2.1 規則預設為作用中。 如果您的 WAF 處於 預防 模式,請先將新規則設定 為記錄 模式。 記錄模式可讓您在啟用封鎖之前檢閱記錄。
下列 PowerShell 定義適用於 DRS 2.1 中引進的規則,與每個 CRS 版本相比:
# Added in DRS 2.1 compared to CRS 3.0 $rulesAddedInThisVersionByGroup = @{ "General" = @("200002", "200003") "PROTOCOL-ENFORCEMENT" = @("920121", "920171", "920181", "920341", "920470", "920480", "920500") "PROTOCOL-ATTACK" = @("921190", "921200") "RCE" = @("932180") "PHP" = @("933200", "933210") "NODEJS" = @("934100") "XSS" = @("941101", "941360", "941370", "941380") "SQLI" = @("942361", "942470", "942480", "942500", "942510") "JAVA" = @("944100", "944110", "944120", "944130", "944200", "944210", "944240", "944250") "MS-ThreatIntel-WebShells" = @("99005002", "99005003", "99005004", "99005005", "99005006") "MS-ThreatIntel-AppSec" = @("99030001", "99030002") "MS-ThreatIntel-SQLI" = @("99031001", "99031002", "99031003", "99031004") "MS-ThreatIntel-CVEs" = @( "99001001","99001002","99001003","99001004","99001005","99001006", "99001007","99001008","99001009","99001010","99001011","99001012", "99001013","99001014","99001015","99001016","99001017" ) }# Added in DRS 2.1 compared to CRS 3.1 $rulesAddedInThisVersionByGroup = @{ "General" = @("200002", "200003") "PROTOCOL-ENFORCEMENT" = @("920181", "920500") "PROTOCOL-ATTACK" = @("921190", "921200") "PHP" = @("933200", "933210") "NODEJS" = @("934100") "XSS" = @("941360", "941370", "941380") "SQLI" = @("942500", "942510") "MS-ThreatIntel-WebShells" = @("99005002", "99005003", "99005004", "99005005", "99005006") "MS-ThreatIntel-AppSec" = @("99030001", "99030002") "MS-ThreatIntel-SQLI" = @("99031001", "99031002", "99031003", "99031004") "MS-ThreatIntel-CVEs" = @( "99001001","99001002","99001003","99001004","99001005","99001006", "99001007","99001008","99001009","99001010","99001011","99001012", "99001013","99001014","99001015","99001016","99001017" ) }# Added in DRS 2.1 compared to CRS 3.2 $rulesAddedInThisVersionByGroup = @{ "General" = @("200002", "200003") "PROTOCOL-ENFORCEMENT" = @("920181", "920500") "PROTOCOL-ATTACK" = @("921190", "921200") "PHP" = @("933200", "933210") "NODEJS" = @("934100") "XSS" = @("941360", "941370", "941380") "SQLI" = @("942100", "942500", "942510") "MS-ThreatIntel-WebShells" = @("99005002", "99005003", "99005004", "99005005", "99005006") "MS-ThreatIntel-AppSec" = @("99030001", "99030002") "MS-ThreatIntel-SQLI" = @("99031001", "99031002", "99031003", "99031004") "MS-ThreatIntel-CVEs" = @( "99001001","99001002","99001003","99001004","99001005","99001006", "99001007","99001008","99001009","99001010","99001011","99001012", "99001013","99001014","99001015","99001016","99001017" ) }使用下列 PowerShell 程式碼,將新的規則覆寫新增至先前定義的現有
$groupOverrides物件:foreach ($groupName in $rulesAddedInDRS21.Keys) { $ruleOverrides = @() foreach ($ruleId in $rulesAddedInDRS21[$groupName]) { $alreadyExists = $existingOverrides | Where-Object { $_.RuleId -eq $ruleId } if (-not $alreadyExists) { $ruleOverrides += New-AzApplicationGatewayFirewallPolicyManagedRuleOverride ` -RuleId $ruleId ` -Action "Log" ` -State "Enabled" } } # Only create group override if we added rules to it if ($ruleOverrides.Count -gt 0) { $groupOverrides += New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride ` -RuleGroupName $groupName ` -Rule $ruleOverrides } }
套用自訂和升級
定義更新的 Azure WAF 原則物件,合併重複和更新的規則覆寫和排除:
$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet `
-RuleSetType "Microsoft_DefaultRuleSet" `
-RuleSetVersion "2.1" `
-RuleGroupOverride $groupOverrides
for ($i = 0; $i -lt $wafPolicy.ManagedRules.ManagedRuleSets.Count; $i++) {
if ($wafPolicy.ManagedRules.ManagedRuleSets[$i].RuleSetType -eq "OWASP") {
$wafPolicy.ManagedRules.ManagedRuleSets[$i] = $managedRuleSet
break
}
}
# Assign to policy
if ($newRuleSetExclusions) {
$wafPolicy.ManagedRules.Exclusions = $currentExclusions + $newRuleSetExclusions
}
# Apply the updated WAF policy
Set-AzApplicationGatewayFirewallPolicy -InputObject $wafPolicy