- Knowledge Base
- Microsoft Azure
- Front Door
- Enable Web Application Firewall for Front Door Profiles
Ensure that Web Application Firewall (WAF) security policies are enabled for your Microsoft Azure Front Door profiles in order to protect your applications from common exploits and vulnerabilities, keep your service available, and help you meet compliance requirements.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Security Azure Web Application Firewall (WAF) provides centralized protection of your web applications from common threats such as SQL injections, Cross Site Scripting (XSS), and local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other HTTP(S) parameters via custom rules using the firewall service.
Audit
To determine if Web Application Firewall (WAF) policies are enabled for your Azure Front Door profiles, perform the following operations:
Using Azure Console
01 Sign in to the Azure Management Console.
02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.
04 From the Type equalls all filter box, choose Equals, select Front Door and CDN profile, and choose Apply to list only the Azure Front Door and CDN profiles available in the selected subscription.
05 Click on the name (link) of the Front Door and CDN profile that you want to examine.
06 In the resource navigation panel, under Security, select Security policies.
07 On the Security policies listing page, check for any active Web Application Firewall (WAF) security policies defined for the selected profile. An active security policy has the Provisioning state set to Succeeded. If there are no active security policies listed on this page, Azure WAF is not enabled for the selected Azure Front Door profile. If one or more active security policies are returned, continue the Audit process with the next step.
08 Click on the name (link) of the security policy that you want to examine and copy the name of the WAF policy, selected from the WAF Policy dropdown list.
09 Navigate to Web Application Firewalls listing page available at https://portal.azure.com/#view/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/~/wafMenuItem, paste the name of the associated WAF policy in the Filter for any field... box, and press Enter.
10 Check the value listed in the Policy state column to determine the operational status of the WAF policy associated with your Front Door profile. If the Policy state is set to Disabled, the WAF policy is not operational, therefore, Azure Web Application Firewall (WAF) is not enabled for the selected Microsoft Azure Front Door profile.
11 Repeat steps no. 8 – 10 for each security policy configured for the selected Azure Front Door profile.
12 Repeat steps no. 5 – 11 for each Azure Front Door profile deployed in the selected Azure subscription.
13 Repeat steps no. 3 – 12 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run afd profile list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Front Door and CDN profile available in the current subscription:
az afd profile list
--output table
--query '[*].{name:name, resourceGroup:resourceGroup}'
02 The command output should return the requested profile identifiers:
Name ResourceGroup ----------------- ------------------------------ tm-project5-cdn cloud-shell-storage-westeurope tm-web-portal-cdn cloud-shell-storage-westeurope
03 Run afd security-policy list command (Windows/macOS/Linux) with the name of the Azure Front Door and CDN profile that you want to examine and its associated resource group as the identifier parameters, to list the name and the provisioning state of each security policy defined for the selected Front Door profile:
az afd security-policy list
--profile-name tm-project5-cdn
--resource-group cloud-shell-storage-westeurope
--query '[].{"name":name,"provisioningState":provisioningState}'
04 The command output should return the requested information. If the afd security-policy list command output returns an empty array, i.e., [], there are no WAF security policies defined for the selected Azure Front Door profile. If the command output returns one or more security policies, check the "provisioningState" attribute value to determine the policy status. If the "provisioningState" is not set to "Succeeded", the security policy is not active, therefore, Azure WAF is not enabled for the selected Azure Front Door profile. If the "provisioningState" is set to "Succeeded", as shown in the example below, continue the Audit process with the next step:
[
{
"name": "tm-project5-afd-sec-policy",
"provisioningState": "Succeeded"
}
]
05 Run network front-door waf-policy show command (Windows/macOS/Linux) to describe the resource identifier (ID) of the WAF policy configured for the security policy associated with your Front Door profile:
az afd security-policy show --profile-name tm-project5-cdn --resource-group cloud-shell-storage-westeurope --name tm-project5-afd-sec-policy --query "parameters.wafPolicy.id"
06 The command output should return the requested resource ID:
"/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/frontdoorWebApplicationFirewallPolicies/project5wafpolicy"
07 Run network front-door waf-policy show command (Windows/macOS/Linux) to determine the operational status of the WAF policy associated with your Front Door profile. For --name, use the WAF policy name included in the resource ID returned in the previous step (i.e., "/subscriptions/\
az network front-door waf-policy show
--name project5wafpolicy
--resource-group cloud-shell-storage-westeurope
--query "{enabledState:policySettings.enabledState}"
08 The command output should return the resource operational status:
{
"enabledState": "Disabled"
}
If the "enabledState" is not set to "Enabled", the associated WAF security policy is not operational, therefore, Azure Web Application Firewall (WAF) is not enabled for the selected Microsoft Azure Front Door profile.
09 Repeat steps no. 5 – 8 for each security policy configured for the selected Azure Front Door profile.
10 Repeat steps no. 3 - 9 for each Azure Front Door profile available within the current Azure subscription.
11 Repeat steps no. 1 – 10 for each subscription created in your Microsoft Azure cloud account.
Remediation / Resolution
To enable Web Application Firewall (WAF) support for your Microsoft Azure Front Door profiles, perform the following operations:
Using Azure Console
01 Sign in to the Azure Management Console.
02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.
04 From the Type equalls all filter box, choose Equals, select Front Door and CDN profile, and choose Apply to list only the Azure Front Door and CDN profiles available in the selected subscription.
05 Click on the name (link) of the Front Door and CDN profile that you want to configure.
06 In the resource navigation panel, under Security, select Security policies.
07 On the Security policies page, choose Add, and perform the following actions to create a new security policy for your profile. A security policy includes a Web Application Firewall (WAF) policy and one or more domains to provide centralized protection for your web application:
- For Name, provide a unique name for your new security policy.
- For Domains, choose the domain(s) that you want to protect with Azure Web Application Firewall (WAF).
- For WAF Policy, choose Create New to create the Web Application Firewall (WAF) policy that will integrate with your security policy. Enter a name for the WAF policy in the Name box, check the Add bot protection checkbox for protection against malicious bots, then choose Create to deploy your WAF policy. The WAF policy provides protection for OWASP top 10 vulnerabilities, including bot protection.
- Choose Save to apply the changes. This will enable Web Application Firewall (WAF) support for the selected Azure Front Door profile.
08 Repeat steps no. 5 – 7 for each Azure Front Door profile that you want to configure, deployed in the selected Azure subscription.
09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run network front-door waf-policy create command (Windows/macOS/Linux) to create a Web Application Firewall (WAF) policy for your Azure Front Door profile. This will protect your web application from common exploits and vulnerabilities, keep your service available, and help you meet compliance requirements. The WAF policy must be of the same tier as your Front Door profile:
az network front-door waf-policy create --name FrontDoorWafPolicy --resource-group cloud-shell-storage-westeurope --sku Premium_AzureFrontDoor --location Global --mode Prevention
02 The command output should return the configuration information available for the new WAF policy:
{
"customRules": {
"rules": []
},
"frontendEndpointLinks": [],
"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/FrontDoorWafPolicy",
"location": "Global",
"managedRules": {
"managedRuleSets": []
},
"name": "FrontDoorWafPolicy",
"policySettings": {
"enabledState": "Enabled",
"javascriptChallengeExpirationInMinutes": 30,
"mode": "Prevention",
"requestBodyCheck": "Enabled"
},
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"resourceState": "Enabled",
"securityPolicyLinks": [],
"sku": {
"name": "Premium_AzureFrontDoor"
},
"tags": {},
"type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies"
}
03 Run network front-door waf-policy managed-rules add command (Windows/macOS/Linux) to add one or more managed rules set to your new Web Application Firewall (WAF) policy. The following command example adds the Microsoft_DefaultRuleSet managed rule set, version 2.1, with the default action set to Block:
az network front-door waf-policy managed-rules add --policy-name FrontDoorWafPolicy --resource-group cloud-shell-storage-westeurope --type Microsoft_DefaultRuleSet --version 2.1 --action Block
04 The command output should return the configuration information available for the configured WAF policy:
{
"customRules": {
"rules": []
},
"etag": null,
"frontendEndpointLinks": [],
"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/FrontDoorWafPolicy",
"location": "Global",
"managedRules": {
"managedRuleSets": [
{
"exclusions": [],
"ruleGroupOverrides": [],
"ruleSetAction": "Block",
"ruleSetType": "Microsoft_DefaultRuleSet",
"ruleSetVersion": "2.1"
}
]
},
"name": "FrontDoorWafPolicy",
"policySettings": {
"customBlockResponseBody": null,
"customBlockResponseStatusCode": null,
"enabledState": "Enabled",
"javascriptChallengeExpirationInMinutes": 30,
"mode": "Prevention",
"redirectUrl": null,
"requestBodyCheck": "Enabled",
"scrubbingRules": null,
"state": null
},
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"resourceState": "Enabled",
"routingRuleLinks": null,
"securityPolicyLinks": [],
"sku": {
"name": "Premium_AzureFrontDoor"
},
"tags": {},
"type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies"
}
05 Run afd security-policy create command (Windows/macOS/Linux) to create the Azure Front Door profile security policy that will integrate your new WAF policy. Use the --domains parameter to specify the domains to provide centralized protection for your web application:
az afd security-policy create --profile-name tm-project5-cdn --resource-group cloud-shell-storage-westeurope --security-policy-name tm-project5-cdn-sec-policy --domains "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Cdn/profiles/tm-project5-cdn/afdendpoints/tm-project5-endpoint" --waf-policy "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/FrontDoorWafPolicy"
06 The command output should return the configuration information available for the new security policy:
{
"deploymentStatus": "NotStarted",
"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Cdn/profiles/tm-project5-cdn/securitypolicies/tm-project5-cdn-sec-policy",
"name": "tm-project5-cdn-sec-policy",
"parameters": {
"associations": [
{
"domains": [
{
"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Cdn/profiles/tm-project5-cdn/afdendpoints/tm-project5-endpoint",
"isActive": true,
"resourceGroup": "cloud-shell-storage-westeurope"
}
],
"patternsToMatch": [
"/*"
]
}
],
"type": "WebApplicationFirewall",
"wafPolicy": {
"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/FrontDoorWafPolicy",
"resourceGroup": "cloud-shell-storage-westeurope"
}
},
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"type": "Microsoft.Cdn/profiles/securitypolicies"
}
07 Repeat steps no. 5 and 6 for each Azure Front Door profile that you want to configure, available within the current subscription.
08 Repeat steps no. 1 – 7 for each subscription created in your Microsoft Azure cloud account.
References
- Azure Official Documentation
- What is Azure Web Application Firewall?
- Tutorial: Create a WAF policy on Azure Front Door by using the Azure portal