Use Recommended Front Door WAF policy rule groups
March 21, 2025 ยท View on GitHub
SYNOPSIS
Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.
DESCRIPTION
Front Door WAF policies support two main Rule Groups.
- OWASP - Front Door web application firewall (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 3.2, 3.1, 3.0. It is recommended to use the latest rule set.
- Bot protection - Enable a managed bot protection rule set to block or log requests from known malicious IP addresses.
RECOMMENDATION
Consider configuring Front Door WAF policy to use the recommended rule sets.
EXAMPLES
Configure with Azure template
To deploy WAF policies that pass this rule:
- Add the
Microsoft_DefaultRuleSetrule set to theproperties.managedRules.managedRuleSetsproperty.- Use the rule set version
2.0or greater.
- Use the rule set version
- Add the
Microsoft_BotManagerRuleSetrule set to theproperties.managedRules.managedRuleSetsproperty.- Use the rule set version
1.0or greater.
- Use the rule set version
For example:
{
"type": "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies",
"apiVersion": "2022-05-01",
"name": "[parameters('name')]",
"location": "Global",
"sku": {
"name": "Premium_AzureFrontDoor"
},
"properties": {
"managedRules": {
"managedRuleSets": [
{
"ruleSetType": "Microsoft_DefaultRuleSet",
"ruleSetVersion": "2.0",
"ruleSetAction": "Block",
"exclusions": [],
"ruleGroupOverrides": []
},
{
"ruleSetType": "Microsoft_BotManagerRuleSet",
"ruleSetVersion": "1.0",
"ruleSetAction": "Block",
"exclusions": [],
"ruleGroupOverrides": []
}
]
},
"policySettings": {
"enabledState": "Enabled",
"mode": "Prevention"
}
}
}
Configure with Bicep
To deploy WAF policies that pass this rule:
- Add the
Microsoft_DefaultRuleSetrule set to theproperties.managedRules.managedRuleSetsproperty.- Use the rule set version
2.0or greater.
- Use the rule set version
- Add the
Microsoft_BotManagerRuleSetrule set to theproperties.managedRules.managedRuleSetsproperty.- Use the rule set version
1.0or greater.
- Use the rule set version
For example:
resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {
name: name
location: 'Global'
sku: {
name: 'Premium_AzureFrontDoor'
}
properties: {
managedRules: {
managedRuleSets: [
{
ruleSetType: 'Microsoft_DefaultRuleSet'
ruleSetVersion: '2.0'
ruleSetAction: 'Block'
exclusions: []
ruleGroupOverrides: []
}
{
ruleSetType: 'Microsoft_BotManagerRuleSet'
ruleSetVersion: '1.0'
ruleSetAction: 'Block'
exclusions: []
ruleGroupOverrides: []
}
]
}
policySettings: {
enabledState: 'Enabled'
mode: 'Prevention'
}
}
}