Azure waf policy terraform checkov scan is failing
Hello All / __| '_ \ / _ \/ __| |/ / _ \ \ / / | (__| | | | __/ (__| < (_) \ V / \___|_| |_|\___|\___|_|\_\___/ \_/ By bridgecrew.io | version: 2.4.39 Update available 2.4.39 -> 2.4.48 Run pip3 install -U checkov to update terraform scan results: Passed checks: 1, Failed checks: 1, Skipped checks: 0 Check: CKV_AZURE_122: "Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes" PASSED for resource: azurerm_web_application_firewall_policy.main File: \main.tf:1-65 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-application-gateway-uses-waf-in-detection-or-prevention-modes.html Check: CKV_AZURE_135: "Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell" FAILED for resource: azurerm_web_application_firewall_policy.main File: \main.tf:1-65 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-application-gateway-waf-prevents-message-lookup-in-log4j2.html Code lines for this resource are too many. Please use IDE of your choice to review the file. log4j scan is failing resource "azurerm_web_application_firewall_policy" "main" { name = var.name resource_group_name = var.resource_group_name location = var.location tags = var.tags policy_settings { enabled = var.waf_enabled file_upload_limit_in_mb = var.file_upload_limit_mb max_request_body_size_in_kb = var.max_request_body_size_kb mode = var.firewall_mode } dynamic "custom_rules" { for_each = var.custom_policies content { name = custom_rules.value.name priority = custom_rules.value.priority rule_type = custom_rules.value.rule_type action = custom_rules.value.action dynamic "match_conditions" { for_each = var.match_conditions content { dynamic "match_variables" { for_each = var.match_variables content { variable_name = match_variables.value.match_variable selector = match_variables.value.selector } } operator = match_conditions.value.operator negation_condition = match_conditions.value.negation_condition match_values = match_conditions.value.match_values } } } } managed_rules { managed_rule_set { type = var.rule_set_type version = var.rule_set_version dynamic "rule_group_override" { for_each = var.managed_policies_override content { rule_group_name = rule_group_override.value.rule_group_name disabled_rules = rule_group_override.value.disabled_rules } } } dynamic "exclusion" { for_each = var.managed_policies_exclusions content { match_variable = exclusion.value.match_variable selector = exclusion.value.selector selector_match_operator = exclusion.value.selector_match_operator } } } }Azure web application firewall policy terratest is failing
hello All Creating Application Gateway Web Application Firewall Policy: (Name "test-waf-policy-13" / Resource Group "rg--devops-01"): network.WebApplicationFirewallPoliciesClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="ApplicationGatewayFirewallMatchValueNoCollection" Message="Custom Rule 'customruletest' doesn not have a valid collection match variable 'RemoteAddr' which support selector in its condition in context 'properties.customRules[0].matchConditions[0].matchVariables[0]'." Details=[] Below is the tfvars file "waf_policy_rglocation": "northeurope", "waf_policy_custom_rules_name" : "customruletest", "waf_policy_custom_rules_priority" : "1", "waf_policy_custom_rules_rule_type" : "MatchRule", "waf_policy_match_variable_name" : "RemoteAddr", "waf_policy_operator" : "IPMatch", "waf_policy_negation_condition" : false, "waf_policy_match_values" : []string{"192.168.1.0/24"}, "waf_policy_custom_rules_action" : "Block", "waf_policy_enabled" : true, "waf_policy_mode" :"Prevention", "waf_policy_request_body_check" : true, "waf_policy_file_upload_limit_in_mb" : 100, "waf_policy_match_variables_selector" : "UserAgent", "waf_policy_managed_rules_variable" : "RequestHeaderNames", "waf_policy_managed_rules_selector" : "x-company-secret-header", "waf_policy_managed_rules_operator" : "Contains", "waf_policy_set_type" :"OWASP", "waf_policy_version" : "3.2", "waf_policy_managed_rules_rule_group_name" : "REQUEST-944-APPLICATION-ATTACK-JAVA", "waf_policy_override_rule_id" : "944130", "waf_policy_rule_enabled" : true, "waf_policy_rule_action" : "Block",Application Gateway WAF custom rule is not triggered if the HTTP header field is not present
Hi Community, I have this strange behavior on my Application Gateway WAF. I created this custom rule (see image below) to deny traffic when the http request has Referer http header field empty or missing. The problem is that this rule is only triggered when the Referer http header field is empty but not when it is missing 😞 Instead, the same custom rule is working fine on the front door WAF. Why is it happening? Did I do something wrong?
