Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

I don't understand the two WAF Mode

Copper Contributor

I have read the documentation on the two types of Waf (Detection and Prevention).

Detection mode: Monitor and log all threat alerts. Enable logging diagnostics for Application Gateway in the Diagnostics section. You must also ensure that WAF logging is selected and enabled. The Web Application Firewall does not block incoming requests when operating in Detect mode.
Prevention mode: Blocks intrusions and attacks that are detected by the rules. The attacker receives a "403 unauthorized access" exception and the connection is closed. Prevention mode logs these attacks in the WAF logs.


But then in Owasp Rules we have the ability to assign WAF actions that Allow, Block, Log, Anomaly Score.

I don't understand, because if I create a WAF police in prevention mode, I think it is not necessary to change the WAF actions, right?

How do you see when an anomaly score is detected and where do you see this internal score, is this seen in the logs?

This for me is very confusing, and I need help.

Thanks!

1 Reply
Hi Chris,

The score can be seen within the logs from your application gateway, but essentially it's only going to show as blocked if it hits a total score of 5, use the below for reference:

https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview#anomaly-scoring-mode

We have our rules set to 'Anomaly Score' and we have not had any issues yet...

The query below can be used for you to review logs from your WAF from the application gateway:

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"

Thanks