Edit

Share via

Frequently asked questions for Azure Web Application Firewall on Application Gateway

This article answers common questions about features and functionality for Azure Web Application Firewall on Azure Application Gateway.

What is Azure Web Application Firewall?

Azure Web Application Firewall is a web application firewall (WAF) that helps protect your web applications from common threats such as SQL injection, cross-site scripting, and other web exploits. You can define a WAF policy that consists of a combination of custom and managed rules to control access to your web applications.

You can apply a WAF policy to web applications hosted on Azure Application Gateway or Azure Front Door.

What features does the WAF product tier support?

The WAF tier of Application Gateway supports all the features available in the Standard tier.

How do I monitor the WAF?

Monitor the WAF through diagnostic logging. For more information, see Diagnostic logs for Application Gateway.

Does detection mode block traffic?

No. Detection mode only logs traffic that triggers a WAF rule.

Can I customize WAF rules?

Yes. For more information, see Customize WAF rules.

What rules are currently available for the WAF?

The WAF currently supports Core Rule Set (CRS) 3.2, 3.1, and 3.0. These rules provide baseline security against most of the top 10 vulnerabilities that Open Web Application Security Project (OWASP) identifies:

  • Protection against SQL injection
  • Protection against cross-site scripting
  • Protection against common web attacks such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion
  • Protection against HTTP protocol violations
  • Protection against HTTP protocol anomalies such as missing Host, User-Agent, and Accept headers
  • Prevention against bots, crawlers, and scanners
  • Detection of common application misconfigurations (for example, Apache and IIS)

For more information, see the OWASP top 10 vulnerabilities.

CRS 2.2.9 is no longer supported for new WAF policies. We recommend that you upgrade to the latest CRS version. You can't use CRS 2.2.9 along with CRS 3.2/DRS 2.1 and later versions.

What content types does the WAF support?

The Application Gateway WAF supports the following content types for managed rules:

  • application/json
  • application/xml
  • application/x-www-form-urlencoded
  • multipart/form-data

And for custom rules:

  • application/x-www-form-urlencoded
  • application/soap+xml, application/xml, text/xml
  • application/json
  • multipart/form-data

Does the WAF support DDoS protection?

Yes. You can enable distributed denial-of-service (DDoS) protection on the virtual network where the application gateway is deployed. This setting ensures that the Azure DDoS Protection service also helps protect the application gateway's virtual IP (VIP).

Does the WAF store customer data?

No, the WAF doesn't store customer data.

How does the WAF work with WebSocket?

Azure Application Gateway natively supports WebSocket. WebSocket on the Application Gateway WAF doesn't require any extra configuration to work. However, the WAF doesn't inspect the WebSocket traffic. After the initial handshake between client and server, the data exchange between client and server can be of any format (for example, binary or encrypted). So the WAF can't always parse the data. It just acts as a pass-through proxy for the data.

For more information, see Overview of WebSocket support in Application Gateway.

Related content