Azure application gateway does not have WAF enabled

ID

app_gateway_waf

Severity

low

Vendor

Azure

Resource

Application Gateway

Tags

reachable

Description

Azure application gateway should have WAF enabled in 'Detection' or 'Prevention' modes.

WAF provides some protection against application-layer attacks, and this rule enforces that application gateways have a WAF enabled with a proper mode.

The Application Gateway WAF can be configured to run in two modes:

  • Detection mode, which monitors and logs all threat alerts.

  • Prevention mode, which block intrusions and attacks.

See WAF for Application Gateways for an introduction to Azure WAF.

Examples

ARM

The following application gateways does not have a WAF configured.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/applicationGateways",
      "apiVersion": "2021-08-01",
      "name": "bad", (1)
      "location": "[parameters('location')]",
      "properties": {
        "webApplicationFirewallConfiguration": {
          "enabled": false
        }
      }
    }
  ]
}
1 Application gateway has no WAF Enabled with 'Detection' or 'Prevention' firewall mode.

Terraform

# FLAW, application gateway has no WAF
resource "azurerm_application_gateway" "good" {
  name                = "example-appgateway"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  # ... rest of config, no WAF ...
}

Mitigation / Fix

Buildtime

ARM

Add a webApplicationFirewallConfiguration block enabled and with the proper FirewallMode.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/applicationGateways",
      "apiVersion": "2021-08-01",
      "name": "good", (1)
      "location": "[parameters('location')]",
      "properties": {
        "firewallPolicy": { (1)
          "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', '<policy>')]"
        },
        "webApplicationFirewallConfiguration": { (2)
          "enabled": true,
          "firewallMode": "Prevention",
          "ruleSetType": "OWASP",
          "ruleSetVersion": "3.1",
          "requestBodyCheck": true,
          "maxRequestBodySizeInKb": 128,
          "fileUploadLimitInMb": 100
        }
      }
    }
  ]
}
1 Firewall policy linked
2 Application gateway has WAF Enabled with 'Prevention' firewall mode.

Terraform

Add waf_configuration block enabled with firewall_mode set to either 'Detection' or 'Prevention', and link a firewall policy.

resource "azurerm_application_gateway" "good" { # FLAW, no firewall_policy_id
  name                = "example-appgateway"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  firewall_policy_id = azure_firewall_policy.my_policy.id (1)

  waf_configuration { (2)
    enabled          = true
    firewall_mode    = "Prevention"
    # ...
  }

  # ... rest of configuration ...
}
1 A firewall policy is configured and linked
2 and WAF is enabled with the proper mode