Use OWASP 3.x rules
March 21, 2025 ยท View on GitHub
SYNOPSIS
Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules.
DESCRIPTION
Application Gateways deployed with WAF features support configuration of OWASP rule sets for detection and / or prevention of malicious attacks. Two rule set versions are available; OWASP 2.x and OWASP 3.x.
RECOMMENDATION
Consider configuring Application Gateways to use OWASP 3.x rules instead of 2.x rule set versions.
EXAMPLES
Configure with Azure template
To deploy Application Gateways that pass this rule:
- Set the
properties.webApplicationFirewallConfiguration.ruleSetTypeproperty toOWASP. - Set the
properties.webApplicationFirewallConfiguration.ruleSetVersionproperty to a minimum of3.2.
For example:
{
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2020-11-01",
"name": "appGw-001",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"name": "WAF_v2",
"tier": "WAF_v2"
},
"webApplicationFirewallConfiguration": {
"enabled": true,
"firewallMode": "Prevention",
"ruleSetType": "OWASP",
"ruleSetVersion": "3.2",
"disabledRuleGroups": [],
"requestBodyCheck": true,
"maxRequestBodySizeInKb": 128,
"fileUploadLimitInMb": 100
}
}
}
Configure with Bicep
To deploy Application Gateways that pass this rule:
- Set the
properties.webApplicationFirewallConfiguration.ruleSetTypeproperty toOWASP. - Set the
properties.webApplicationFirewallConfiguration.ruleSetVersionproperty to a minimum of3.2.
For example:
resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {
name: 'appGw-001'
location: location
properties: {
sku: {
name: 'WAF_v2'
tier: 'WAF_v2'
}
webApplicationFirewallConfiguration: {
enabled: true
firewallMode: 'Prevention'
ruleSetType: 'OWASP'
ruleSetVersion: '3.2'
}
}
}
Configure with Azure CLI
az network application-gateway waf-config set --enabled true --rule-set-type OWASP --rule-set-version '3.2' -n '<name>' -g '<resource_group>'
Configure with Azure PowerShell
$AppGw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'
Set-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention' -RuleSetType 'OWASP' -RuleSetVersion '3.2'