2

We're using the Application Gateway WAF in prevention mode and it's blocking some of our Mobile App Client requests. I switched the WAF into Detection mode and output the logs to Log Analytics. I can see some information about the requests being made and the WAF being triggered, but can't see which rule was triggered.

Is there a way to see what rule was being triggered? It's difficult to narrow down the source of the problem without knowing why it's failing!

David C
  • 501
  • 1
  • 4
  • 16

2 Answers2

3

You should see the ruleId when you check the firewall log.

Here is an example:

{
  "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}",
  "operationName": "ApplicationGatewayFirewall",
  "time": "2017-03-20T15:52:09.1494499Z",
  "category": "ApplicationGatewayFirewallLog",
  "properties": {
    "instanceId": "ApplicationGatewayRole_IN_0",
    "clientIp": "104.210.252.3",
    "clientPort": "4835",
    "requestUri": "/?a=%3Cscript%3Ealert(%22Hello%22);%3C/script%3E",
    "ruleSetType": "OWASP",
    "ruleSetVersion": "3.0",
    "ruleId": "941320",
    "message": "Possible XSS Attack Detected - HTML Tag Handler",
    "action": "Blocked",
    "site": "Global",
    "details": {
      "message": "Warning. Pattern match \"<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ...\" at ARGS:a.",
      "data": "Matched Data: <script> found within ARGS:a: <script>alert(\\x22hello\\x22);</script>",
      "file": "rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf",
      "line": "865"
    }
  }
}

Before this, you have to ensure you enable the firewall log for each application gateway. This log also requires that the web application firewall is configured on an application gateway. You could get more details here.

It's recommended to read these two articles:

Troubleshoot Web Application Firewall (WAF) for Azure Application Gateway

Azure Application Gateway WAF tuning

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • 1
    Thank you kindly, it appears the important ingredient I was missing was patience! The 2nd link you posted mentions that logs are only saved hourly. The WAF was blocking because of rule 920300 - our request is missing an Accept header. – David C Jul 05 '19 at 08:18
2

When you want to find out what request was blocked by what rule you first need to run this query:

AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| where action_s =="Blocked"

You will find there rules like 949110 - Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 5) or 980130 - Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt; individual paranoia level scores: 5, 0, 0, 0, but you will not be able to block this rules, as they are just evaluation of scoring. However

AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| where action_s =="Blocked"
| distinct requestUri_s, ruleId_s

run this query to get blocked uris and the use them to find rules which you can disable (if you want) bu running this query:

AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| where ruleId_s != "949110" and ruleId_s != "980130"
| where requestUri_s == "some-uri"
| distinct ruleId_s
Krzysztof Madej
  • 32,704
  • 10
  • 78
  • 107