'Can you see the Firewall Rule that was triggered on Azure Application Gateway WAF
We're using the Application Gateway WAF in prevention mode and it's blocking some of our Mobile App Client requests. I switched the WAF into Detection mode and output the logs to Log Analytics. I can see some information about the requests being made and the WAF being triggered, but can't see which rule was triggered.
Is there a way to see what rule was being triggered? It's difficult to narrow down the source of the problem without knowing why it's failing!
Solution 1:[1]
You should see the ruleId when you check the firewall log.
Here is an example:
{
"resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}",
"operationName": "ApplicationGatewayFirewall",
"time": "2017-03-20T15:52:09.1494499Z",
"category": "ApplicationGatewayFirewallLog",
"properties": {
"instanceId": "ApplicationGatewayRole_IN_0",
"clientIp": "104.210.252.3",
"clientPort": "4835",
"requestUri": "/?a=%3Cscript%3Ealert(%22Hello%22);%3C/script%3E",
"ruleSetType": "OWASP",
"ruleSetVersion": "3.0",
"ruleId": "941320",
"message": "Possible XSS Attack Detected - HTML Tag Handler",
"action": "Blocked",
"site": "Global",
"details": {
"message": "Warning. Pattern match \"<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ...\" at ARGS:a.",
"data": "Matched Data: <script> found within ARGS:a: <script>alert(\\x22hello\\x22);</script>",
"file": "rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf",
"line": "865"
}
}
}
Before this, you have to ensure you enable the firewall log for each application gateway. This log also requires that the web application firewall is configured on an application gateway. You could get more details here.
It's recommended to read these two articles:
Troubleshoot Web Application Firewall (WAF) for Azure Application Gateway
Solution 2:[2]
When you want to find out what request was blocked by what rule you first need to run this query:
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| where action_s =="Blocked"
You will find there rules like 949110 - Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 5) or 980130 - Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt; individual paranoia level scores: 5, 0, 0, 0, but you will not be able to block this rules, as they are just evaluation of scoring. However
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| where action_s =="Blocked"
| distinct requestUri_s, ruleId_s
run this query to get blocked uris and the use them to find rules which you can disable (if you want) bu running this query:
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| where ruleId_s != "949110" and ruleId_s != "980130"
| where requestUri_s == "some-uri"
| distinct ruleId_s
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Nancy Xiong |
| Solution 2 | Krzysztof Madej |