Regional WAF (Integrated with Azure Application Gateway)
We are excited to share that on May 3rd Microsoft announced the general availability of the managed rule set OWASP 3.2, also known as CRS 3.2, bringing additional features on WAF for Application Gateway that offer customers better security, improved scale, easier deployment, and better management of their applications.
Read the Intelligent application protection from edge to cloud with Azure Web Application Firewall announcement blog and Azure updates for more details on this announcement. For more information, visit Azure WAF documentation.
What’s new?
CRS 3.2 brings a new improved security posture on regional WAF integrated with Azure Application Gateway. Customers are strongly encouraged to take advantage of the latest ruleset and migrate from older CRS versions to reduce false positives.
Note: CRS 3.1 or below runs on the older versions of WAF engine. The default for policy deployment is CRS 3.1. During deployment, you can choose CRS 3.2. Once you create a WAF policy or upgrade and existing policy to OWASP_3.2, there is no option to downgrade the managed rule set to older versions.
As stated in our public docs, CRS 2.2.9 is no longer supported for new WAF policies. We recommend you upgrade to the latest CRS version.
There are 6 new options of Keys and Values as request attributes available to create the exclusions, like Request Header Key, and Request Args Key. You can find more details here.
Note: As of early May 2022, we are rolling out updates to the Azure portal for these features. If you don't see configuration options in the portal, please use PowerShell, the Azure CLI, Bicep, or ARM templates to configure global or per-rule exclusions.
Metrics |
Description |
Dimension |
WAF Total Requests |
Count of successful requests that WAF engine has served. |
Action, Country/Region, Method, Mode |
WAF Managed Rule Matches |
Count of total requests that a managed rule has matched. |
Action, Country/Region, Mode, Rule Group, Rule Id |
WAF Custom Rule Matches |
Count of total requests that match a specific custom rule. |
Action, Country/Region, Mode, Rule Group, Rule Name |
WAF Bot Protection Matches |
Count of total requests that have been blocked or logged from malicious IP addresses. The IP addresses are sourced from the Microsoft Threat Intelligence feed. |
Action, Country/Region, Bot Type, Mode |
Global WAF (Integrated with Azure Front Door)
A new managed rule set called Default Rule Set 2.0 with anomaly scoring, Bot Manager 1.0, and security service that protects applications and APIs running in Azure or anywhere else, has also been announced in general availability on WAF for Azure Front Door on March 29th.
The new managed rule set DRS 2.0 is only available for Azure Front Door Premium and includes the latest Microsoft proprietary rules authored by Microsoft Threat Intelligence. See the Feature Comparison between both Standard and Premium SKUs.
If you have multiple domains in your Front Door Premium, you can assign different WAF policies per Domain.
Learn More
Azure WAF provides advanced threat protection capabilities to help detect and protect against web application vulnerabilities. For more information on everything we covered above, please see the following documentation:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.