Azure Front Door's Web Application Firewall (WAF) is a powerful tool for protecting your applications from malicious traffic. However, effectively managing your WAF configuration is key to maintaining a balance between security and usability. In this blog post, we’ll explore two essential aspects:
- How to view WAF logs in Azure Front Door to troubleshoot issues and gain insights.
- How to add custom rules for specific URLs to ensure precise traffic control and enhanced security.
Real-World Scenario: The Importance of Logs and Custom Rules
In today’s interconnected world, even minor service disruptions can lead to significant setbacks. Recently, we encountered a "Service Unavailable" issue caused by blocked requests on a specific API, affecting critical operations.
What Happened?
A routine API request was blocked, resulting in an error message: "The request is blocked." Users were unable to proceed with their tasks. A reference ID was provided, pointing to the Web Application Firewall (WAF) as the culprit.
Error: Unexpected character encountered while parsing value: <. Path , line 0, position 0.
an unexpected character < while trying to parse a JSON value. This suggests that the response being parsed is an XML or HTML document, not JSON.
Possible Causes:
- Firewall or Bot Protection Rules: Strict rules flagged legitimate traffic as suspicious.
- Request Overload: High traffic triggered rate-limiting mechanisms.
- Configuration Errors: Misconfigured rules led to unnecessary blockages.
This incident highlighted the need for effective troubleshooting using WAF logs and the ability to add custom rules to avoid false positives.
1. Viewing WAF Logs in Azure Front Door
When WAF blocks requests, logs provide invaluable insights, helping you understand the reasons behind the blockage and take corrective actions.
How to Access WAF Logs
-
Enable Diagnostic Logging:
- In the Azure portal, navigate to Front Door.
- Under the Monitoring section, select Diagnostics settings.
- Create a new diagnostic setting and enable WAF logs.
- Send these logs to one of the following destinations:
- Log Analytics Workspace
- Azure Storage Account
- Event Hub
-
Analyze Logs in Log Analytics:
- Open your Log Analytics Workspace and use the following query to filter WAF logs:
AzureDiagnostics | where ResourceType == "FRONTDOOR_WAF" | project TimeGenerated, clientIP_s, requestUri_s, ruleName_s, action_s
- Key fields to analyze include:
-
requestUri_s: The URL of the request. -
clientIP_s: The client’s IP address. -
ruleName_s: The WAF rule triggered (e.g., Bot300100). -
action_s: The action taken (e.g., BLOCK, ALLOW).
-
Example log entry:
TimeGenerated: 2025-01-08T12:34:56Z
clientIP_s: 192.168.1.1
requestUri_s: /api/AddDevice
ruleName_s: Bot300100
action_s: BLOCK
-
View Logs Through Security Analytics:
- Navigate to Front Door in the Azure portal.
- Go to the Analytics section and open the Security Report.
- The Security Report provides a summary of blocked requests, allowed traffic, and matched rules.
- For a deeper dive, download the CSV report for a detailed view of WAF activities. This is especially useful for quick audits and trend analysis without requiring advanced configurations.
2. Adding Custom Rules for Specific URLs
Default WAF rules might not always align with your application's unique requirements. For example, you may want to allow specific API endpoints while maintaining strict rules for others. Custom rules give you the flexibility to tailor WAF behavior to your needs.
How to Create a Custom Rule
-
Navigate to the WAF Policy:
- In the Azure portal, go to Front Door and CDN profiles.
- Select your Front Door profile and open the Web Application Firewall section.
- Access the WAF policy attached to your Front Door.
-
Add a Custom Rule:
- Click Custom Rules and select Add Custom Rule.
- Configure the rule with the following parameters:
- Name: A descriptive name (e.g., AllowSpecificAPI).
- Priority: Lower numbers indicate higher priority (e.g., 100).
- Action: Choose Allow or Block.
- Match Conditions:
- Match Type: Use “URL path.”
- Operator: Use “Contains” or “Equals.”
-
Value: Enter the specific URL (e.g.,
/api/AddDevice).
-
Test the Rule:
- Save and deploy the rule.
- Use tools like
curlor Postman to test the custom rule. - Check logs to confirm the rule is applied correctly.
-
Regularly Review and Update Rules:
- Monitor WAF logs to ensure the custom rule is functioning as intended.
- Modify rules based on new traffic patterns or security requirements.
Example: Allowing a Specific API Endpoint
If an endpoint like /api/AddDevice is frequently blocked but used by legitimate clients, you can create a custom rule as follows:
-
Match Conditions:
- URL Path =
/api/AddDevice - IP Address = Whitelisted IPs
- URL Path =
- Action: Allow
This ensures seamless access to the endpoint without compromising the security of other URLs.
Best Practices for Managing Azure Front Door WAF
Regular Log Reviews:
Analyze logs frequently to identify false positives and refine rules.Detection Mode for Testing:
Test new rules in Detection mode before enforcing them to prevent unintended disruptions.Leverage Rate Limiting:
Implement rate-limiting rules to protect against abusive traffic.Enable Geo-Blocking:
Restrict traffic from regions that don’t require access to your application.Use Custom Rules Sparingly:
Keep custom rules targeted and simple to avoid performance impacts.
Conclusion
Azure Front Door’s WAF is a robust tool for securing your applications. By learning to view logs effectively and create custom rules, you can fine-tune its behavior to suit your application’s specific needs. Regularly monitor, adapt, and optimize your WAF configuration to stay ahead of evolving threats.
Have you configured custom rules or analyzed logs in Azure Front Door WAF? Share your insights and tips in the comments below!
Top comments (1)
adding azure portal snippets will also help better understand