Use OWASP 3.x rules#
Security · Application Gateway · Rule · 2020_06 · Important
Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules.
Description#
Application Gateways deployed with WAF features support configuration of OWASP rule sets for detection and / or prevention of malicious attacks. Two rule set versions are available; OWASP 2.x and OWASP 3.x.
Recommendation#
Consider configuring Application Gateways to use OWASP 3.x rules instead of 2.x rule set versions.
Examples#
Configure with Azure template#
To deploy Application Gateways that pass this rule:
- Set the
properties.webApplicationFirewallConfiguration.ruleSetType
property toOWASP
. - Set the
properties.webApplicationFirewallConfiguration.ruleSetVersion
property to a minimum of3.2
.
For example:
Azure Template snippet
{
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2020-11-01",
"name": "appGw-001",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"name": "WAF_v2",
"tier": "WAF_v2"
},
"webApplicationFirewallConfiguration": {
"enabled": true,
"firewallMode": "Prevention",
"ruleSetType": "OWASP",
"ruleSetVersion": "3.2",
"disabledRuleGroups": [],
"requestBodyCheck": true,
"maxRequestBodySizeInKb": 128,
"fileUploadLimitInMb": 100
}
}
}
Configure with Bicep#
To deploy Application Gateways that pass this rule:
- Set the
properties.webApplicationFirewallConfiguration.ruleSetType
property toOWASP
. - Set the
properties.webApplicationFirewallConfiguration.ruleSetVersion
property to a minimum of3.2
.
For example:
Azure Bicep snippet
resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {
name: 'appGw-001'
location: location
properties: {
sku: {
name: 'WAF_v2'
tier: 'WAF_v2'
}
webApplicationFirewallConfiguration: {
enabled: true
firewallMode: 'Prevention'
ruleSetType: 'OWASP'
ruleSetVersion: '3.2'
}
}
}
Configure with Azure CLI#
Azure CLI snippet
az network application-gateway waf-config set --enabled true --rule-set-type OWASP --rule-set-version '3.2' -n '<name>' -g '<resource_group>'
Configure with Azure PowerShell#
Azure PowerShell snippet
$AppGw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'
Set-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention' -RuleSetType 'OWASP' -RuleSetVersion '3.2'
Links#
- Best practices for endpoint security on Azure
- OWASP ModSecurity Core Rule Set
- Azure deployment reference