Web Application Firewall Overview
Configuring Web Application Firewall
The course is part of these learning paths
Firewalls play a critical role in securing an environment, but not all firewalls are created equally. While traditional firewalls secure a perimeter, web-based applications require a content-aware solution beyond port and IP address blocking. Azure Web Application Firewall is a cloud-native service that protects web applications from new and well-known web-based attacks.
In this course, we review Azure Web Application Firewall. We examine different options for implementing the Web Application Firewall, including using it with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network. We create and apply rulesets, including Azure managed and user-managed custom rules. We also configure diagnostic logging options and review firewall logs from the Web Application Gateway.
- Configuring detection or prevention mode
- Implementing a WAF policy
- Associating a WAF policy
- Configuring rule sets for Azure Front Door, including Microsoft-managed and user-defined
- Configuring rule sets for Application Gateway, including Microsoft-managed and user-defined
- System administrators with responsibilities for managing web applications
- Security professionals responsible for securing Azure web applications
- Anyone preparing for the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam
- A basic understanding of networking and security principles
- An Azure subscription (sign up for a free trial at https://azure.microsoft.com/free/ if you don’t have a subscription)
Here we are in the portal. Let's start by implementing a Web Application Firewall policy for Azure Front Door. From create a resource, search for WAF. Go to Web Application Firewall. And create. This policy is for global WAF Front Door. Set the Front Door SKU to match the version that was implemented. Front Door for this example. Verify the subscription and create a new resource group. This example will use DemoFrontDoorRG. Give the policy a name. This example uses DemoFrontDoor. Set the location, Central US for this example. Leave the policy state as enabled and change the policy mode to prevention. This will enforce the policy.
Setting a new policy to prevention is fine for a demo but you may wanna leave it set to detection and monitor it first when deploying a new policy in production. Let's go to association next. We'll associate this policy to the Front Door instance when we deploy it. Select your Front Door instance and host. And click Add. Go to review + create. Create the policy once it's validated. This will take a minute to finish. I'll pause here and come back once it's done. That finished, let's go to the resource. Next, let's create a custom response code. This will replace the default 403 message users get when traffic is blocked. Go to policy settings in the policy. In the block response body, add the following HTML code. This will display a message that the user is blocked. The code azure-ref surrounded by double curly brackets will return a unique reference string in the response that matches the tracking references in the logs. Once that's entered, click save. We'll verify functionality shortly.
Before that, let's go to managed rules. Here we are in managed rules. We can select any of the rules and once selected, we get the option to enable or disable. Notice, this rule is set to the action block. If we go to change action, we can change it to allow, log or redirect. If we click redirect, it gives us a field for the redirect URL. Let's cancel. Next, go to assign. This is where we assign or change the default rule set. DefaultRuleSet_1.0 is selected. We can change that by selecting the dropdown. We have the option for the Microsoft_DefaultRuleSet and a preview rule set. Let's select the Microsoft rule set. By default, the new policy doesn't have bot protection enabled. To add it, select a bot protection option under additional rule sets. We'll select Microsoft_BotManagerRuleSet for this example. When selected, click Save. Now we have Microsoft_BotManagerRuleSet and Microsoft_DefaultRuleSet enabled.
Let's go to custom rules next. Before we create a custom rule, let's verify Front Door works from this computer by going to the Front Door URL. It shows the default website for our web app. That shows the website is running. Let's go back to the portal and from custom rules, we'll add a custom rule. Notice, this is a similar layout to the custom rules for an Application Gateway Web Application Firewall. To test our custom response, we'll create a rule that blocks traffic from the US. Give it a name, BlockUS, for this example, set the priority. 10 will work for this example. Set the match type to geolocation and leave the operation set to is. Select US from the country or region. Click add to add the rule. And click save to apply the rule. That applied. Let's see if that took effect.
Open up the Front Door URL. It may take a couple minutes for the change to replicate. Once replicated, you'll see the block message along with a reference ID. Good, the error message works. In production, that ID could be used to identify what rule is blocking the connection. Let's go back to custom rules. Let's modify this rule. There's no site hosted on this instance of Front Door yet. Maybe instead of a block message, we could send them to a more useful site. Let's change the rule name to RedirectUS. Leave the rest as is and go down to action. Instead of deny traffic, select redirect traffic. We'll use a much more helpful link for this example. Let's add the URL for cloudacademy.com. Update the rule and save the changes. That updated.
Let's try the Front Door URL again. Remember, it could take a couple minutes for the change to replicate. Now instead of an error message, US-based users are redirected to a different website. That is how to implement and associate a policy, create a custom response code and configure managed and custom rules in a Web Application Firewall policy for Azure Front Door.
Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.