Application Gateway rules are enabled
March 21, 2025 ยท View on GitHub
SYNOPSIS
Application Gateway Web Application Firewall (WAF) should have all rules enabled.
DESCRIPTION
Application Gateway instances with WAF allow OWASP detection/ prevention rules to be toggled on or off. All OWASP rules are turned on by default.
When OWASP rules are turned off, the protection they provide is disabled.
RECOMMENDATION
Consider enabling all OWASP rules within Application Gateway instances.
Before disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.
EXAMPLES
Configure with Azure template
To deploy Application Gateways that pass this rule:
- Set the
properties.webApplicationFirewallConfiguration.disabledRuleGroups.ruleGroupNameproperty to$ruleName.
For example:
{
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2020-11-01",
"name": "appGw-001",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"name": "WAF_v2",
"tier": "WAF_v2"
},
"webApplicationFirewallConfiguration": {
"enabled": true,
"firewallMode": "Prevention",
"ruleSetType": "OWASP",
"ruleSetVersion": "3.2",
"disabledRuleGroups": [
{
"ruleGroupName": "exampleRule",
"rules": []
}
],
"requestBodyCheck": true,
"maxRequestBodySizeInKb": 128,
"fileUploadLimitInMb": 100
}
}
}
Configure with Bicep
To deploy Application Gateways that pass this rule:
- Set the
properties.webApplicationFirewallConfiguration.enabledproperty totrue.
For example:
resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {
name: 'appGw-001'
location: location
properties: {
sku: {
name: 'WAF_v2'
tier: 'WAF_v2'
}
webApplicationFirewallConfiguration: {
enabled: true
firewallMode: 'Prevention'
ruleSetType: 'OWASP'
ruleSetVersion: '3.2'
disabledRuleGroups: [
{
ruleGroupName: 'exampleRule',
rules: []
}
]
}
}
}