Create and configure Web Application Firewall (WAF)

In Microsoft Azure, WAF can be created on the Azure portal or using Azure CLI.

Azure Portal

Here is a step-by-step guide to create a WAF using Azure portal:

• Sign in to Azure portal.
• From the menu on left, select “Create a resource”, search for “Web Application Firewall” and click “Create”.
• Fill in the required details, including your subscription, resource group (or create a new one), policy name, and policy mode (“Prevention” or “Detection”).
• After filling in all the details, click “Review + create”, and then click “Create” when ready.

Azure CLI

Alternatively, you can use Azure CLI to create a WAF. Below is an example command to create a WAF policy:

az network application-gateway waf-policy create --name myWafPolicy --resource-group myResourceGroup --mode Detection --custom-rules name=rule1 priority=1 rule-type=MatchRule match-conditions match-variable=RemoteAddr operator=IPMatch values=192.0.2.0/24

2. Configuring Web Application Firewall

Once created, you can configure WAF’s policies, custom rules, and more based on your security requirements.

Configuring WAF Policy

You can configure the WAF policy mode to “Detection” or “Prevention”. In “Prevention” mode, WAF will block detected threats, whereas in “Detection” mode, it detects and logs threats but does not block them.

Azure also allows you to toggle the policy managed ruleset on or off or customize individual rules using “RuleSet” and “RuleGroupOverride”.

Configuring Custom Rules

Custom rules in WAF allow you to enforce specific behaviors based on your needs. For instance, you can create a rule that blocks or allows traffic from specific IP addresses or ranges. Here’s a sample Azure CLI command to create a custom rule:

az network application-gateway waf-policy custom-rule create --policy-name myWafPolicy --name AllowFromSpecificIP --resource-group myResourceGroup --priority 1 --rule-type MatchRule --matchConditions matchVariable=RemoteAddr operator=IPMatch values=192.0.2.0/24 --action Allow

3. Associating WAF Policy with Application Gateway

After configuring your WAF policy, you need to associate it with an Application Gateway. Here’s how to do it using Azure CLI:

az network application-gateway waf-policy managed-rule rule-set add --policy-name myWafPolicy --resource-group myResourceGroup --type OWASP --version 3.1 --rule-set-type Microsoft_DefaultRuleSet --rule-group-name DefaultRuleSet

4. Monitoring WAF

Azure provides several built-in tools for monitoring and diagnosing your WAF. For example, you can leverage Azure Monitor, Log Analytics, and Application Insights for comprehensive monitoring.

To conclude, creating and configuring a WAF in Azure requires a solid understanding of your application’s security requirements and how to use Azure’s tools to meet those needs. As you prepare for the AZ-500 exam, hands-on practice in creating, configuring, and managing WAF policies will be invaluable.

Practice Test

True/False: Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities.

• True
• False

Answer: True

Explanation: WAF defends your web applications from common web-based attacks like SQL injection and cross-site scripting. It is centralized and helps monitor the traffic for all your applications.

In Microsoft Azure, the Web Application Firewall (WAF) can be configured on which of the following?

• A) Application Gateway
• B) Azure CDN
• C) Azure Front Door
• D) All of the Above

Answer: D) All of the Above

Explanation: Azure WAF can be configured on Azure Application Gateway, Azure CDN, and Azure Front Door to provide protection to your web applications.

True/False: Azure WAF only provides support for IPv4 traffic.

• True
• False

Answer: False

Explanation: Azure WAF provides support for both IPv4 and IPv6 traffic.

Which of the following is not a feature of Azure WAF?

• A) Protection against web attacks
• B) Intrusion detection
• C) Bot protection
• D) Data encryption

Answer: D) Data encryption

Explanation: Features of Azure WAF include protection against web attacks, intrusion detection, and bot protection. However, it does not offer data encryption.

True/False: You can customize Azure WAF rules according to your requirements.

• True
• False

Answer: True

Explanation: Azure WAF supports custom rules that can be configured according to the requirements of your specific application or traffic.

Which of the following policy mode options does not exist in Azure WAF?

• A) Detection
• B) Prevention
• C) Mitigation
• D) None of the Above

Answer: C) Mitigation

Explanation: Azure WAF provides two policy modes: Detection and Prevention. There is no Mitigation mode.

Setting up Application Gateway is essential to practically implement WAF in Azure. True/False?

• True
• False

Answer: True

Explanation: An Application Gateway is a dedicated virtual appliance that offers numerous services, including WAF. Setting this up is crucial to implement WAF.

Azure WAF is independent of cloud and network security solutions provided by Azure. True/False?

• True
• False

Answer: False

Explanation: Azure WAF is tightly integrated with Azure Monitor, Azure Security Center and Azure Application Gateway to provide a complete security solution.

Azure WAF uses which rule set to protect web applications from vulnerabilities?

• A) Azure Security Center Rule Set
• B) OWASP Rule Set
• C) Azure Monitor Rule Set
• D) None of the Above

Answer: B) OWASP Rule Set

Explanation: Azure WAF uses the widely adopted Open Web Application Security Project (OWASP) Rule Set to protect web applications from vulnerabilities.

In Azure, managed rules for WAF can be customized. True/False?

• True
• False

Answer: False

Explanation: Azure provides pre-configured rule sets known as ‘managed rules’ for WAF. However, these managed rules cannot be customized, they can only be enabled or disabled.

Interview Questions

What is a Web Application Firewall (WAF) in Microsoft Azure?

A Web Application Firewall (WAF) in Microsoft Azure is a feature of Azure Application Gateway that provides centralized protection of your web applications from common exploits and vulnerabilities.

What is the Azure Application Gateway?

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. This includes SSL offloading, cookie-based session affinity, and the ability to host multi-site. This serves as the base for Azure WAF.

What are the key features of Azure WAF?

Key features of Azure WAF include protection against common web-based attacks like SQL injection, XSS attacks, protection against HTTP protocol violations, and the ability to customize rules and create exclusion lists.

How are threats detected in Azure WAF?

Azure WAF detects threats by utilizing the OWASP (Open Web Application Security Project) core rule sets, which detect patterns indicative of common web attacks. It then takes actions based on the anomaly score related to these patterns.

Which Azure WAF operation mode allows you to monitor for threats without preventing access?

This is the Detection mode. In this mode, WAF will analyze the traffic and generate logs for malicious patterns but will not block the requests.

How can you create a Web Application Firewall on Azure?

You can create a Web Application Firewall by first creating an Application Gateway. During its configuration, you have the option to enable and configure WAF.

What is WAF Policy in Azure WAF and when should it be used?

A WAF policy in Azure WAF contains the set of rules that govern how the WAF behaves. These rules can be customized according to the specific needs of your web application.

Which firewall mode should you select for enabling a new WAF Policy?

For a new WAF Policy, the firewall mode should be set to Prevention. This will enable the policy to block attacks and protect your web applications.

How can Azure WAF help to avoid false positives?

Azure WAF can help to avoid false positives through the use of custom rules and exclusion lists. These allow you to specify exceptions to the general rules, detecting real threats with more accuracy.

Mention the two possible scopes when associating a WAF Policy with an application gateway?

The two possible scopes are — “Global” where the policy applies to all applications attached to a gateway and “Listener” where the policy is set for specific applications only.

What cloud security command center surfaces security alerts from Azure WAF?

Azure Security Center is the command center that surfaces security alerts from Azure WAF.

What types of attacks does Azure WAF protect against?

Azure WAF can protect against various attacks such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and session hijacks.

What is the OWASP core rule set in relation to Azure WAF?

The OWASP (Open Web Application Security Project) Core Rule Set (CRS) in Azure WAF is a set of generic attack detection rules that aim to protect web applications from a wide range of attacks, including top-10 OWASP.

What do you need to do to enable Azure WAF logging?

To enable Azure WAF logging, you’ll need to configure diagnostics settings from the Application Gateway where you have WAF enabled.

Can the Azure WAF inspect HTTPS traffic?

Yes, Azure Application Gateway can terminate, decrypt, and then inspect the HTTPS traffic before encrypting it again and forwarding it to the backend. Consequently, the Azure WAF can inspect HTTPS traffic.