Understanding and Resolving Blocked by Azure WAF

Azure WAF blocks traffic by default, and you need to configure it to allow traffic to your application. This is because Azure WAF is designed to protect against common web attacks.

If you're seeing the "blocked by Azure WAF" error, it's likely due to a rule that's being triggered by your traffic. According to the Azure WAF rules, there are specific conditions that can cause a block, such as a SQL injection attack.

To resolve the issue, you need to identify the specific rule that's causing the block. You can do this by checking the Azure WAF logs, which will show you the exact rule that's being triggered.

Azure WAF handles scanner traffic using Azure Monitor Workbook for WAF. This allows you to dive deeper into how it responds to different types of traffic.

WAF logs are a ledger of all evaluated requests that are matched or blocked, making it easy to identify and address false positives. If a legitimate request is blocked, you can narrow down the specific request and look through the logs to find the associated log entries.

The WAF uses anomaly scoring mode to determine whether to block a request. Every rule that matches increases the anomaly score, and if it reaches a certain threshold, the request is blocked. Core rule sets, based on OWASP top 10 attack types and Microsoft Threat Intelligence, are designed to protect your application by detecting and blocking common attacks.

Azure WAF's response to scanner traffic is a crucial aspect of web application security. To understand how it handles such traffic, we can use the Azure Monitor Workbook for WAF.

Azure WAF successfully identifies various types of probing attempts typical of security scanners. These include rules such as Found a User-Agent associated with a security scanner, Request Missing an Accept Header, SQL Injection Attack: Common Injection Testing Detected, Path Traversal Attack (/../), and XSS Attack Detected via lip injection.

To ensure the WAF is effective, it's essential to use the latest ruleset versions. Microsoft regularly updates the managed rules to take account of the current threat landscape. This means you should regularly check for updates to Azure-managed rule sets.

Here are some notable WAF rules triggered by security scanners:

By enabling bot management rules, you can also block bad bots and allow good bots like search engine crawlers to access your application.

Core Rule Sets are designed to protect your application by detecting and blocking common attacks. These rules are based on various sources, including the OWASP top 10 attack types and information from Microsoft Threat Intelligence.

Microsoft's core rule sets are a valuable addition to Azure WAF, as they provide an extra layer of security for your application. The rules are regularly updated to stay ahead of emerging threats.

The rules are grouped into categories, making it easier to manage and customize your security settings. For more information, see the Web Application Firewall CRS rule groups and rules.

Using the latest ruleset versions is crucial for staying protected against the ever-evolving threat landscape. Microsoft regularly updates the managed rules to take account of the current threat landscape.

You can ensure you're using the latest ruleset versions by regularly checking for updates to Azure-managed rule sets. This will help you stay ahead of potential threats and keep your application secure.

To do this, you can follow Microsoft's guidance and check for updates to Azure-managed rule sets. This will ensure you're using the most up-to-date rules to protect your application.

Here are some steps to help you stay up-to-date:

Geo-filter traffic is a great way to block requests from outside your expected geographic region.

If your web application is designed for users within a specific region, you'll want to consider implementing geo-filtering to block requests that come from outside of those countries or regions.

You can do this by using Geomatch custom rules, which are specifically designed to help you filter traffic based on geographic location.

Geomatch custom rules can help you block requests from users who are not within your target region, reducing unnecessary traffic and potential security risks.

Troubleshooting Azure WAF can be a challenge, but there are ways to fix issues like false positives. You can start by identifying the problematic rule, which in one case was rule 942130 that matched the 1=1 string.

To stop this from blocking your traffic, you can use an exclusion list, which is a feature that can be configured in the WAF settings. This can be a lifesaver when you need to allow traffic from a specific source.

If disabling the rule isn't an option, you can also consider adding an exclusion list to prevent this rule from triggering. This will allow your traffic to pass through without any issues.

Azure WAF is designed to detect and prevent various types of probing attempts. The top rules that caught the scanner's activity include finding a User-Agent associated with a security scanner.

Some of the notable WAF rules triggered include detecting SQL Injection Attacks, Path Traversal Attacks, and XSS Attacks. These rules are part of the out-of-the-box ruleset in Azure WAF that provides robust protection against reconnaissance attacks.

Here are some of the specific rules that were triggered:

These rules demonstrate the effectiveness of Azure WAF in identifying and blocking potentially malicious requests.

Disabling rules can be a way to get around a false positive, but it's a global setting that opens up a vulnerability if you don't know all traffic that contains a certain condition is valid. You can disable a rule in the Azure portal.

Turning on WAF logs is necessary to investigate false positives. This involves going to the Azure Front Door associated with the WAF, entering Diagnostic settings, and adding a new diagnostic setting.

Azure WAF can block valid traffic, such as Azure AD SSO, so it's essential to identify and address these false positives. This can be done by parsing WAF logs, which can be found in a container named ingishts-logs-frontdoorwebapplicationfirewalllog.

The log contains information about the rule that blocked the request, including its ID, which can be used to filter rules in WAF settings. To fix a false positive, you can set an exclusion just for your case by clicking "Manage exclusions" in the Azure WAF.

Here are some ways to fix false positives:

Some common WAF rules that can trigger false positives include:

To prevent false positives, it's essential to understand how Azure WAF works and configure it correctly. This includes enabling bot management rules to block bad bots and allow good bots like search engine crawlers through to your application.