2

I'm setting up WAF rules for azure front door services provided by Microsoft Azure. Currently, I'm using default ruleset 1.0 provided OTB to block top 10 OWSAP threats.

When default rules are enabled, we observe 403 error and not able to understand which policy is blocking the request.

Any change to WAF policy takes minimum 7 to 15 minutes to get applied. I need to understand if there is any efficient way to make the change and test.

What is the best possible way to determine what ruleset needs to be enabled or disabled ?

We tried enabling all ruleset and website started throwing 403 error. Currently, we are enabling one rule at a time and verifying if the rule blocks any requests.

Merlin Liang
  • 13,166
  • 1
  • 7
  • 18
IamChandu
  • 327
  • 5
  • 15

1 Answers1

3

WAF with FrontDoor log is integrated with Azure Monitor. You could enable diagnostics settings and track any request that matches a WAF rule in the FrontdoorWebApplicationFirewallLog logs. The following example query obtains WAF logs on blocked requests:

AzureDiagnostics
| where ResourceType == "FRONTDOORS" and Category == "FrontdoorWebApplicationFirewallLog"
| where action_s == "Block"

Additionally, you could refer to monitoring metrics and logs in Azure Front Door Service and a good blog which tells how to view WAF diagnostic logs and tune the WAF policy rules even it's for app GW example.

Nancy Xiong
  • 21,523
  • 1
  • 8
  • 18
  • We enabled Azure monitor and nailed all the WAF rules which was throwing 403 error. For now, we have changed the action to log from block. – IamChandu Aug 12 '19 at 13:09