These policies are intended to give you a starting point for creating your own Custom Rules. We have created 2 ARM templates, which will create both WAF Policy types, one for WAF on Application Gateway and one for WAF on Front Door. Custom Rule Example Templates and Use Cases If you need to construct a rule with OR logic, it is best to create multiple rules with the same Action. When adding multiple conditions, they are added as an AND statement, so all conditions must be met for the Action to take place. Rules can be created with a single condition, or you can add multiple conditions that must be satisfied to constitute a match. For instance, if you wanted to use a WAF Custom Rule to create an IP Address allow list, it is better to Deny traffic that is not from the IP addresses in the list rather than Allow traffic from those IPs. Using the Deny action avoids causing traffic allowed by this rule to bypass the OWASP and Bot rulesets.Īnother concept to make use of in constructing effective Custom Rules is compound conditions. In most scenarios, it is best to use Custom Rules with the Deny action, as a terminating Deny rule is entirely expected and without unanticipated consequences. If certain requests tend to trigger false positives, you can use a Custom Rule to allow the traffic at a more granular level than it would be possible by using exclusions or disabling rules. Understanding this, you can use Allow rules when the intent is to skip the other checks, such as in tuning situations. The Allow action should be used sparingly in Custom Rules, because since the rule terminates, it means that all other inspection provided by WAF will be skipped. This can have positive or negative implications. This is the case regardless of the action of the rule even if traffic is allowed, no further rules are processed. This means that if the logic of the rule is matched, all other rules stop processing, including the lower priority (higher number) Custom Rules, and both OWASP and Bot managed rulesets. The most important thing to mention about Custom Rules is that they are terminating. However, there are some important concepts to understand before you create your own rules. Creating a custom rule is as simple as clicking Add Custom Rule and entering a few required fields. Important Custom Rule ConceptsĬustom Rules can be viewed and built using the Azure Portal by navigating to Web Application Firewall Policies (WAF), selecting your policy, and clicking on the Custom Rules blade. For more information on these, look for future blog posts here or consult the Azure WAF documentation. This post focuses on Custom Rules, but it is important to understand how the managed rulesets work. If traffic is coming from a known source of bot activity, the traffic can be blocked.
0 Comments
Leave a Reply. |