Your Web Application Firewall (WAF)
Azure Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and exploits. Azure-managed rule sets provide an easy way to deploy protection against a common set of security threats. Since such rule sets are managed by Azure, the rules are updated as needed to protect against new attack signatures. The default rule set also includes the Microsoft Threat Intelligence Collection rules that are written in partnership with the Microsoft Intelligence team to provide increased coverage, patches for specific vulnerabilities, and better false positive reduction.
We also have the option of using rules that are defined based on the OWASP core rule sets 3.2, 3.1, 3.0, or 2.2.9. Rules can be disabled on a rule-by-rule basis, or you can set specific actions by individual rules. Below are the standard out-of-the-box configurations and those that are specific to the API Cloud.
Default Rule Set
The Azure-managed Default Rule Set (DRS) includes rules against the following threat categories:
- Cross-site scripting
- Java attacks
- Local file inclusion
- PHP injection attacks
- Remote command execution
- Remote file inclusion
- Session fixation
- SQL injection protection
- Protocol attackers (The version number of the DRS increments when new attack signatures are added to the rule set.)
The WAF protects against the following web vulnerabilities:
- SQL-injection attacks
- Cross-site scripting attacks
- Other common attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion
- HTTP protocol violations
- HTTP protocol anomalies, such as missing host user-agent and accept headers.
- Bots, crawlers, and scanners
- Common application misconfigurations (for example, Apache and IIS)
Additional Rule Sets
The following custom configurations have been set:
- Allow traffic only from the United States using GeoMatch.
- Enabled bot protection ruleset.