How to troubleshoot your Azure Web Application Firewall

How to troubleshoot your Azure Web Application Firewall

If you have an Azure web application firewall (WAF) infront of your load balancer and this firewall has rulesets enabled with prevention mode set to Prevention instead of Detection you may see some requests not reaching your web application.

It is recommended to first run your WAF in Detection mode for some time and review the logs but this is of course not a sure-fire way to guarantee that you will not have issues. Luckily for us we can make use of KQL and log analytics here as long as we have setup logging properly.

Ensure you have this configuration on your load balancer under Diagnostics Settings:

Some starter queries

KQL is pretty self-explanatory for me that is used to some scripting but if you have not worked with it before it can be hard to know where to start. Here I have provided some starter queries for you to use:

AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| where action_s != "Allowed"
| where ResourceGroup startswith "<name of your rg>"

This one will get you started and show you all of the requests sent via the WAF where traffic is not allowed to pass through. We are also filtering on a specific resource group incase you got more than one load balancer in your environment.

With this information you may see logs like the following one:

With this information we can start narrowing down our filters.

AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| where action_s != "Allowed"
| where ResourceGroup startswith "<name of your rg>"
| where requestUri_s == "/<my-uri>/<request>"

This is the same filter but we ensure we only see traffic with a match on the specific URL we are looking at. For instance we may only want to see requests headed towards /app/promo for instance.

Now, lets say we fixed that issue with a rule group override which I will show how later. We are still seeing issues in our application and we want to get a lay of the land. The following query will show us other things that are blocked by intentionally removing things with a hit on a certain Uri

AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| where action_s != "Allowed"
| where ResourceGroup startswith "<name of your rg>"
| where requestUri_s != "/<my-uri>/<request>"

If we want to ensure that our override is working we can change the != "Allowed" filter to == "Allowed" and see if we get any hits. If we do we know traffic is passing through.

Create rule group overrides

There are several different ways we can configure overrides but considering we are always looking to improve our IaC skills I will show you the configuration with Terraform.

Inside of our azurerm_web_application_firewall_policy resource we most likely have applied a managed rule set, looking perhaps like this:

managed_rules {

managed_rule_set {

type = "OWASP"

version = "3.2"

rule_group_override {

rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT"

rule {

id = "920170"

enabled = true

action = "Log"

}

rule {

id = "920230"

enabled = true

action = "Log"

}

}

rule_group_override {

rule_group_name = "REQUEST-931-APPLICATION-ATTACK-RFI"

rule {

id = "931130"

enabled = true

action = "Log"

}

}

rule_group_override {

rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI"

rule {

id = "942430"

enabled = true

action = "Log"

}

rule {

id = "942440"

enabled = true

action = "Log"

}

}

}

}

We change the default behaviour when traffic hits these rules. In a perfect world your application would not need these overrules but that is not always the case and these overrules are great for that customization.

About me

About me
If you have landed on my page you will have already understood my passion for tech, but obviously there is more to life than that. Here I will try and outline a few of my other hobbies. Strength training I am a person who loves to move around and challenge