Azure WAF policy disabled or without Detection or Prevention modes

ID

app_gateway_waf_policy

Severity

low

Vendor

Azure

Resource

WAF

Tags

reachable

Description

Azure Web Application Firewall Policy must be enabled, and in 'Detection' or 'Prevention' mode. Otherwise, any gateway with this policy may end up unprotected.

WAF provides some protection against application-layer attacks, and this rule enforces that application gateways enable a WAF with a proper mode.

To enable a Web Application Firewall on Application Gateway, you must create a WAF policy. This policy is where all the managed rules, custom rules, exclusions, and other customizations such as file upload limit exist.

The Application Gateway WAF policy can be configured to run in two modes:

  • Detection mode which monitors and logs all threat alerts.

  • Prevention mode which block intrusions and attacks.

See WAF for Application Gateways for an introduction to Azure WAF.

See WAF Policies for an introduction to Azure WAF Policies.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/applicationGateways",
      "apiVersion": "2021-08-01",
      "name": "bad", (1)
      "location": "[parameters('location')]",
      "properties": {
        "webApplicationFirewallConfiguration": {
          "enabled": false
        }
      }
    }
  ]
}
1 Application gateway has no WAF policy linked.

Terraform

resource "azurerm_web_application_firewall_policy" "example" {
  # ...
  policy_settings {
    enabled                     = false (1)
    request_body_check          = true
    file_upload_limit_in_mb     = 100
    max_request_body_size_in_kb = 128
  }
  # ...
}
1 The policy is explicitly disabled.

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/applicationGateways",
      "apiVersion": "2021-08-01",
      "name": "good", (1)
      "location": "[parameters('location')]",
      "properties": {
        "webApplicationFirewallConfiguration": {
          "enabled": true,
          "firewallMode": "Prevention",
          "ruleSetType": "OWASP",
          "ruleSetVersion": "3.1",
          "requestBodyCheck": true,
          "maxRequestBodySizeInKb": 128,
          "fileUploadLimitInMb": 100
        },
        "firewallPolicy": {
          "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('policy_name'))]"
        }
      }
    }
  ]
}
1 Application gateway has WAF policy linked.

Terraform

resource "azurerm_web_application_firewall_policy" "example" {
  # ...
  policy_settings {
    enabled                     = true (1)
    mode                        = "Prevention" (2)
    request_body_check          = true
    file_upload_limit_in_mb     = 100
    max_request_body_size_in_kb = 128
  }
  # ...
}
1 Fixed.
2 It is recommended to make explicit the action.