Enabling Web Application Firewall Diagnostic Logs
Start course

Firewalls play a critical role in securing an environment, but not all firewalls are created equally. While traditional firewalls secure a perimeter, web-based applications require a content-aware solution beyond port and IP address blocking. Azure Web Application Firewall is a cloud-native service that protects web applications from new and well-known web-based attacks.

In this course, we review Azure Web Application Firewall. We examine different options for implementing the Web Application Firewall, including using it with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network. We create and apply rulesets, including Azure managed and user-managed custom rules. We also configure diagnostic logging options and review firewall logs from the Web Application Gateway.

Learning Objectives

  • Configuring detection or prevention mode
  • Implementing a WAF policy 
  • Associating a WAF policy
  • Configuring rule sets for Azure Front Door, including Microsoft-managed and user-defined
  • Configuring rule sets for Application Gateway, including Microsoft-managed and user-defined

Intended Audience

  • System administrators with responsibilities for managing web applications
  • Security professionals responsible for securing Azure web applications
  • Anyone preparing for the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam


  • A basic understanding of networking and security principles
  • An Azure subscription (sign up for a free trial at if you don’t have a subscription)

Logs are an indispensable tool for troubleshooting issues with a firewall. In this lecture, we review options for logging with the web application firewall. There are four types of logs available for collecting data from the application gateway. Activity Log is a collection of management operations submitted to the application gateway. There's an access resource log. This is a collection of application gateway access information such as client IP, request URL, return code, and bytes in and out. There's a performance resource log with performance information about the application gateway. This includes information such as request service, throughput, failed request count, and backend pool status.

There's also a Firewall Resource Log that tracks requests coming through the firewall policy while in detection or prevention mode. The Azure Front Door service has three options available for logging, like the application gateway, there's an activity log that collects management actions on the Front Door service, the Front Door access log logs all requests made through Front Door. The last option, the Front Door Web Application Firewall Log logs requests that match a web application firewall policy rule.

There are four logging options available for Azure Front Door and the application gateway. Data can be logged to a storage account. The storage account is useful for long-term data retention, log files can be streamed to an Event Hub. Event Hub can then be used to link logs to a third-party security information and event management tool. We can log directly to Log Analytics, Azure's logging platform that's part of Azure Monitor. The data can then be monitored and reviewed from Azure Monitor. There are also a number of partner solutions we can send data to. These are non-Microsoft managed logging solutions, including Apache Kafka for Confluent Cloud, Datadog, Elastic and

Coming up next, we'll demonstrate how to configure logging to a storage account with Azure Gateway. Then review the log for block connection attempts. To follow along, you will need access to an Azure subscription with rights to add resources, as well as a web application policy configured and associated with an Application Gateway, similar to the configuration in the previous demonstration. Also required is a storage account to send the log files to. Please join me in the Azure Portal to get started.

About the Author

Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.