Azure front door does not use WAF in Detection or Prevention modes

ID

front_door_waf_policy

Severity

low

Vendor

Azure

Resource

WAF

Tags

reachable

Description

Azure Front Door WAF should be enabled and use 'Detection' or 'Prevention' modes.

Azure Front Door is Microsoft’s modern cloud Content Delivery Network (CDN) that provides fast, reliable, and secure access between your users and your applications’ static and dynamic web content across the globe. Azure Front Door delivers your content using the Microsoft’s global edge network with hundreds of global and local POPs distributed around the world close to both your enterprise and consumer end users.

WAF provides some protection against application-layer attacks, and this rule enforces that front doors enables a WAF with a proper mode.

The Front Door WAF policy can be configured to run in two modes:

  • Detection mode which monitors and logs all threat alerts.

  • Prevention mode which block intrusions and attacks.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies",
      "apiVersion": "2019-03-01",
      "name": "bad", (1)
      "properties": {
        "policySettings": {
          "enabledState": "Disabled"
        }
      }
    }
  ]
}
1 Front Door WAF is not enabled nor uses 'Detection' or 'Prevention' modes.

Terraform

resource "azurerm_frontdoor_firewall_policy" "bad" {
  name                = "example-wafpolicy"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  enabled                     = false # FLAW (1)
  mode                        = "Prevention"
  request_body_check          = true
  file_upload_limit_in_mb     = 100
  max_request_body_size_in_kb = 128

  managed_rule {
    type    = "DefaultRuleSet"
    version = "1.0"
  }
  managed_rule {
    type    = "Microsoft_BotManagerRuleSet"
    version = "1.0"
  }
}
1 Front Door WAF is not enabled.

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies",
      "apiVersion": "2019-03-01",
      "name": "good", (1)
      "properties": {
        "policySettings": {
          "enabledState": "Enabled",
          "mode": "Detection"
        }
      }
    }
  ]
}
1 Front Door WAF is enabled and uses Detection mode.

Terraform

resource "azurerm_frontdoor_firewall_policy" "bad" {
  name                = "example-wafpolicy"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  enabled                     = true # FIXED
  mode                        = "Prevention"
  request_body_check          = true
  file_upload_limit_in_mb     = 100
  max_request_body_size_in_kb = 128

  managed_rule {
    type    = "DefaultRuleSet"
    version = "1.0"
  }
  managed_rule {
    type    = "Microsoft_BotManagerRuleSet"
    version = "1.0"
  }
}