Troubleshooting WAF policy violations for Azure Application Gateway

  • The Azure Application Gateway is a regional HTTP Load Balancing service that incorporates a Web Application Firewall (WAF) to protect web applications against vulnerabilities and exploits. The protection policies that Azure WAF uses are based on OWASP core rule sets.
  • Typically, web applications exposed to the public (Internet) and deployed in a single region, will be deployed behind an Azure Application Gateway with WAF. For a multi-region web application deployment, you may use WAF policies along with the Azure Front Door service (global HTTP load balancing).
  • For the Azure Application Gateway service, WAF policies may be applied globally (for all web applications or sites fronted by the Application Gateway) or to specific web applications or sites. Hence, the WAF policies may be tuned according to different web application requirements and scoped appropriately.
  • Given that the out-of-the-box WAF policies (based on OWASP CRS) are very strict, it is normal to encounter WAF policy violations while testing web applications. So, application teams will need to be able to access the Application Gateway's WAF logs to determine the cause of WAF policy violations. It'd help if web application developers are able to easily troubleshoot WAF policy violations when testing their web applications. Azure workbooks to the rescue!
  • Azure workbooks are interactive visualizations of data within the Azure Portal, using data gathered from one or more sources (metrics, logs, etc.).

Application Gateway WAF Triage workbook

The Application Gateway WAF Triage workbook is a handy workbook that will help users drill down to WAF policy violations that affect their web applications. This workbook is easily to deploy and use. Given below are some guidelines:

  • Enable diagnostic settings for the Application Gateway and send logs to a Log Analytics workspace.
  • When deploying the Application Gateway WAF Triage workbook, link it to the Log Analytics workspace by entering the resource id of the Log Analytics workspace as the Workbook Source Id during deployment.
  • For users who need to access this workbook for troubleshooting, assign the following roles:
    • Log Analytics Reader to the Log Analytics workspace
    • Reader to the workbook

NOTE: With the above roles, users will have access to read WAF policy violations for all web applications behind the Application Gateway.

Show Comments