Azure Documentation

Access Application Gateway Settings

Navigate to your Application Gateway resource in the Azure portal. In the left-hand menu, under the Settings section, select Web application firewall.

Enable WAF

On the Web application firewall page, click the Enable WAF button. This will open a configuration pane on the right.

Configure WAF Policy

In the configuration pane:

• WAF state: Set to Enabled.
• WAF mode: Choose either:
  • Detection mode: WAF logs malicious requests but doesn't block them, allowing you to fine-tune rules.
  • Prevention mode: WAF blocks malicious requests that match the rules. This is the recommended setting for production environments.
• Managed rule set type: Select the rule set you want to use. Azure managed rule sets (e.g., OWASP 3.2, OWASP 3.1) are recommended for comprehensive protection.
• Custom rules (Optional): You can define custom rules to block or allow traffic based on specific criteria.
• Rule set expansion (Optional): Enable or disable specific rule groups based on your needs.

Click Add or Save to apply these settings.

Associate WAF Policy with Listener

For WAF to protect your application, it needs to be associated with a listener. You typically configure this during Application Gateway creation or by editing an existing listener:

1. Go to Listeners under the Settings section of your Application Gateway.
2. Select the listener you want to associate with the WAF policy.
3. In the listener configuration, ensure the WAF policy dropdown is set to the policy you just created or modified.
4. Click Save.

Configure WAF Logging

It's crucial to monitor WAF activity. Configure diagnostic logs to capture WAF events:

1. Go to Diagnostic settings under the Monitoring section.
2. Click Add diagnostic setting.
3. Under Logs, select ApplicationGatewayFirewallLog.
4. Choose where to send the logs (e.g., Log Analytics workspace, Storage account, Event Hub).
5. Click Save.