Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Bot Protection for the Associated WAF Policy

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ApplicationGateway-005

Ensure that Bot Protection is enabled for the Web Application Firewall (WAF) policy associated with your Azure Application Gateway in order to block malicious automated traffic (i.e., bots), such as scanners, scrapers, and Denial-of-Service (DoS) tools.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Enabling Bot Protection for your Azure Application Gateway WAF policy is essential to defend your web applications against automated threats that consume resources and look for vulnerabilities. It uses a managed rule set, continuously updated by Microsoft Threat Intelligence service, to proactively block malicious bots while typically allowing legitimate traffic from verified search engine crawlers. This action preserves application performance and availability and enhances your overall security posture.

Audit

To determine if Bot Protection is enabled for the WAF policy configured for your Azure Application Gateway, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Application gateway for Value, then choose Apply to list the Azure Application Gateways available in the selected subscription.

05 Click on the name (link) of the Azure Application Gateway that you want to examine.

06 In the resource navigation panel, under Settings, select Web application firewall to examine the WAF security policy configured for the selected Application Gateway.

07 In the Associated web application firewall policy section, click on the name (link) of the WAF security policy associated with your Application Gateway to access the policy configuration.

08 In the WAF policy navigation panel, under Settings, choose Managed rules, to view the pre-configured security rules configured for the policy.

09 Select the Managed Rulesets tab and check the Rule Id column for any WAF security rule IDs that contain Microsoft_BotManagerRuleSet. If no such rules exist, Bot Protection is not enabled for the associated Web Application Firewall (WAF) policy. If one or more rule IDs contain Microsoft_BotManagerRuleSet, click on the rule name to expand rule set panel and check the Status column to determine the state of the rules. If the rules that contain Malicious bots are not enabled, i.e., Status is set to Disabled, Bot Protection is not enabled for the WAF policy associated with the selected Azure Application Gateway.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network application-gateway list command (Windows/macOS/Linux) with custom output filters to list the ID of each Azure Application Gateway available in the selected subscription: 

az network application-gateway list
	--query '[*].id'

05 The command output should return the requested Application Gateway IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/applicationGateways/cc-project5-application-gateway",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/applicationGateways/cc-prod-stack-application-gateway"
]

06 Run network application-gateway show command (Windows/macOS/Linux) with the name of the Azure Application Gateway that you want to examine as the identifier parameter and custom output filters to describe the ID of the WAF security policy associated with the selected Application Gateway: 

az network application-gateway show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/applicationGateways/cc-project5-application-gateway"
	--query '{firewallPolicy:firewallPolicy.id}'

07 The command output should return the requested WAF policy ID. If the network application-gateway show command output returns null for "firewallPolicy", there are no WAF policies associated with your resource, therefore, Azure Web Application Firewall is not enabled for the selected Application Gateway. If the ID of the WAF policy is returned, as shown in the example below, continue the Audit process with the next step: 

{
	"firewallPolicy": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/cc-app-gateway-waf-policy"
}

08 Run network application-gateway waf-policy show command (Windows/macOS/Linux) to determine if Bot Protection is enabled for the associated Web Application Firewall (WAF) policy. For --name, use the WAF policy name included in the resource ID returned in the previous step (i.e., "/subscriptions/\<subscription-id\>/resourceGroups/\<resource-group\>/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/\<waf-policy-name\>"): 

az network application-gateway waf-policy show
	--name cc-app-gateway-waf-policy
	--resource-group cloud-shell-storage-westeurope
	--query "managedRules.managedRuleSets"

09 The command output should return the managed rule sets configured for the selected WAF policy: 

[
	{
		"ruleGroupOverrides": [],
		"ruleSetType": "OWASP",
		"ruleSetVersion": "3.2"
	},
	{
		"ruleGroupOverrides": [],
		"ruleSetType": "Microsoft_BotManagerRuleSet",
		"ruleSetVersion": "1.1"
	}
]

Ensure that the network application-gateway waf-policy show command output returns a managed rule set with "ruleSetType" set to "Microsoft_BotManagerRuleSet", and that no "ruleGroupOverrides" for "ruleGroupName": "BadBots" with "state" set to "Disabled", as shown in the example above. If the command output does not return a rule set with "ruleSetType" set to "Microsoft_BotManagerRuleSet" or the "ruleGroupOverrides" has "ruleGroupName": "BadBots" with "state" set to "Disabled", as shown in the example below, Bot Protection is not enabled for the WAF policy associated with the selected Azure Application Gateway:

[
	{
		"ruleGroupOverrides": [],
		"ruleSetType": "OWASP",
		"ruleSetVersion": "3.2"
	},
	{
		"ruleGroupOverrides": [
		{
			"ruleGroupName": "BadBots",
			"rules": [
			{
				"action": "Block",
				"ruleId": "100100",
				"state": "Disabled"
			}
			]
		}
		],
		"ruleSetType": "Microsoft_BotManagerRuleSet",
		"ruleSetVersion": "1.1"
	}
]

Remediation / Resolution

To enable the Bot Protection feature for the Web Application Firewall (WAF) policy associated with your Azure Application Gateway, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Application gateway for Value, then choose Apply to list the Azure Application Gateways available in the selected subscription.

05 Click on the name (link) of the Azure Application Gateway that you want to configure.

06 In the resource navigation panel, under Settings, select Web application firewall to access the WAF security policy configured for the selected Application Gateway.

07 In the Associated web application firewall policy section, click on the name (link) of the WAF security policy associated with your Application Gateway.

08 In the WAF policy navigation panel, under Settings, choose Managed rules, to access the pre-configured security rule sets available for the policy.

09 Select the Managed Rulesets tab, choose Assign, select the Microsoft_BotManagerRuleSet_1.1 rule set from the Bot Management ruleset dropdown list, and choose Save to apply the configuration changes. This will enable Bot Protection for the WAF policy associated with the selected Azure Application Gateway. Bot Protection uses Microsoft Threat Intelligence to automatically identify and filter out known bad bots.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network application-gateway waf-policy managed-rule rule-set add command (Windows/macOS/Linux) to assign the Microsoft_BotManagerRuleSet_1.1 managed rule set to the specified WAF policy. This will enable Bot Protection for the WAF policy associated with your Azure Application Gateway: 

az network application-gateway waf-policy managed-rule rule-set add
	--policy-name cc-app-gateway-waf-policy
	--resource-group cloud-shell-storage-westeurope
	--type Microsoft_BotManagerRuleSet
	--version 1.1

05 The command output should return the configuration information available for the implemented rule set: 

{
	"customRules": [],
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/cc-app-gateway-waf-policy",
	"location": "westeurope",
	"managedRules": {
		"exclusions": [],
		"managedRuleSets": [
			{
				"ruleGroupOverrides": [],
				"ruleSetType": "OWASP",
				"ruleSetVersion": "3.2"
			},
			{
				"ruleGroupOverrides": [],
				"ruleSetType": "Microsoft_BotManagerRuleSet",
				"ruleSetVersion": "1.1"
			}
		]
	},
	"name": "cc-app-gateway-waf-policy",
	"policySettings": {
		"fileUploadEnforcement": true,
		"fileUploadLimitInMb": 100,
		"jsChallengeCookieExpirationInMins": 30,
		"maxRequestBodySizeInKb": 128,
		"mode": "Detection",
		"requestBodyCheck": true,
		"requestBodyEnforcement": true,
		"requestBodyInspectLimitInKB": 128,
		"state": "Disabled"
	},
	"provisioningState": "Updating",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"tags": {},
	"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies"
}

References

Publication date Nov 7, 2025

Related ApplicationGateway rules