Create Web Application Firewall policies for Application Gateway

Associating a WAF policy with listeners allows for multiple sites behind a single WAF to be protected by different policies. For example, if there are five sites behind your WAF, you can have five separate WAF policies (one for each listener) to customize the exclusions, custom rules, and managed rulesets for one site without effecting the other four. If you want a single policy to apply to all sites, you can just associate the policy with the Application Gateway, rather than the individual listeners, to make it apply globally. Policies can also be applied to a path-based routing rule.

You can make as many policies as you want. Once you create a policy, it must be associated to an Application Gateway to go into effect, but it can be associated with any combination of Application Gateways and listeners.

If your Application Gateway has an associated policy, and then you associate a different policy to a listener on that Application Gateway, the listener's policy takes effect, but just for the listener(s) that they're assigned to. The Application Gateway policy still applies to all other listeners that don't have a specific policy assigned to them.

All new Web Application Firewall's WAF settings (custom rules, managed ruleset configurations, exclusions, etc.) live inside of a WAF Policy. If you have an existing WAF, these settings may still exist in your WAF config. For steps on how to move to the new WAF Policy, see Upgrade your WAF Config to a WAF Policy later in this article.

WAF policies need to be in the enabled state to inspect request traffic, log events and take action on requests. WAF policies in detection mode will log events when WAF rules are triggered but won't take any other action. Policies in prevention mode will take action on requests as well as log the event in the logs.

Create a policy

First, create a basic WAF policy with a managed Default Rule Set (DRS) using the Azure portal.

1. On the upper left side of the portal, select Create a resource. Search for WAF, select Web Application Firewall, then select Create.

2. On Create a WAF policy page, Basics tab, enter or select the following information and accept the defaults for the remaining settings:

   Setting	Value
   Policy for	Regional WAF (Application Gateway)
   Subscription	Select your subscription name
   Resource group	Select your resource group
   Policy name	Type a unique name for your WAF policy.

3. On the Association tab, select Add association, then select one of the following settings:

   Setting	Value
   Application Gateway	Select the application gateway, and then select Add.
   HTTP Listener	Select the application gateway, select the listeners, then select Add.
   Route Path	Select the application gateway, select the listener, select the routing rule, and then select Add.

    Note

   If you assign a policy to your Application Gateway (or listener) that already has a policy in place, the original policy is overwritten and replaced by the new policy.

4. Select Review + create, then select Create.

   

Configure WAF rules (optional)

When you create a WAF policy, by default it is in Detection mode. In Detection mode, WAF doesn't block any requests. Instead, the matching WAF rules are logged in the WAF logs. To see WAF in action, you can change the mode settings to Prevention. In Prevention mode, matching rules defined in the Microsoft Managed Rulesets you selected are blocked and/or logged in the WAF logs.

Managed rules

Azure-managed OWASP rules are enabled by default. To disable an individual rule within a rule group, expand the rules within that rule group, select the check box in front of the rule number, and select Disable on the tab above.

Custom rules

To create a custom rule, select Add custom rule under the Custom rules tab. This opens the custom rule configuration page. The following screenshot shows an example custom rule configured to block a request if the query string contains the text blockme.

Upgrade your WAF Config to a WAF Policy

If you have an existing WAF, you may have noticed some changes in the portal. First you need to identify what kind of Policy you've enabled on your WAF. There are three potential states:

1. No WAF Policy
2. Custom Rules only Policy
3. WAF Policy

You can tell which state your WAF is in by looking at it in the portal. If the WAF settings are visible and can be changed from within the Application Gateway view, your WAF is in state 1.

If you select Web Application Firewall and it shows you an associated policy, the WAF is in state 2 or state 3. After navigating to the policy, if it shows only custom rules, and Associated Application Gateways, then it's a Custom Rules only Policy.

If it also shows Policy Settings and Managed Rules, then it's a full Web Application Firewall policy.