WAF guidance

[timja]

What would you like to change?

Add docs on:

• WAF configuration (how to enable / disable)
• When it should be enabled (after running in production for 2 weeks while logs are developing)
• Exclusions - exclude first, common things to exclude are cookies or free text fields
• Change request required for disabling rules, so that security team can review it.
• How to query logs

How do you think that would improve the project?

Somewhere to point people at when they ask about the WAF or excluding

It’s possible to isolate the root cause of a WAF black by parsing the logs. These can be filtered by a range of criteria, including client IP, WAF policy, and the URL being accessed. Below is an example query which filters by all three:

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorWebApplicationFirewallLog"
| where action_s == "Block" | where policy_s == "*INSERTPOLICYNAMEHERE*"
| where clientIP_s contains "XXX.XXX.XXX.XXX"
| where requestUri_s contains "*INSECRETBLOCKEDURLHERE*"
| order by TimeGenerated desc

Logs can be filtered to provide only the relevant information:

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorWebApplicationFirewallLog"
| where action_s == "Block"
| where ruleName_s != "*INSERTRULENAMEHERE"
| where policy_s == "*INSERTPOLICYNAMEHERE*"
| summarize RequestCount = count() by bin(TimeGenerated, 1m), Policy = policy_s, PolicyMode = policyMode_s, ruleName_s, clientIP_s | order by TimeGenerated desc