你能看到在 Azure 应用程序网关 WAF 上触发的防火墙规则吗

Can you see the Firewall Rule that was triggered on Azure Application Gateway WAF

我们在预防模式下使用应用程序网关 WAF,它阻止了我们的一些移动应用程序客户端请求。我将 WAF 切换到检测模式并将日志输出到 Log Analytics。我可以看到有关正在发出的请求和正在触发的 WAF 的一些信息,但看不到触发了哪个规则。

有没有办法查看触发了什么规则?在不知道失败原因的情况下很难缩小问题的根源!

当您检查防火墙日志时,您应该会看到 ruleId

这是一个例子:

{
  "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}",
  "operationName": "ApplicationGatewayFirewall",
  "time": "2017-03-20T15:52:09.1494499Z",
  "category": "ApplicationGatewayFirewallLog",
  "properties": {
    "instanceId": "ApplicationGatewayRole_IN_0",
    "clientIp": "104.210.252.3",
    "clientPort": "4835",
    "requestUri": "/?a=%3Cscript%3Ealert(%22Hello%22);%3C/script%3E",
    "ruleSetType": "OWASP",
    "ruleSetVersion": "3.0",
    "ruleId": "941320",
    "message": "Possible XSS Attack Detected - HTML Tag Handler",
    "action": "Blocked",
    "site": "Global",
    "details": {
      "message": "Warning. Pattern match \"<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ...\" at ARGS:a.",
      "data": "Matched Data: <script> found within ARGS:a: <script>alert(\x22hello\x22);</script>",
      "file": "rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf",
      "line": "865"
    }
  }
}

在此之前,您必须确保为每个应用程序网关启用防火墙日志。此日志还要求在应用程序网关上配置 Web 应用程序防火墙。您可以获得更多详细信息 here.

推荐阅读这两篇文章:

Troubleshoot Web Application Firewall (WAF) for Azure Application Gateway

Azure Application Gateway WAF tuning

当你想知道什么请求被什么规则阻止时,你首先需要运行这个查询:

AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| where action_s =="Blocked"

你会发现像949110 - Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 5)980130 - Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Restricted File Access Attempt; individual paranoia level scores: 5, 0, 0, 0这样的规则,但你无法阻止这些规则,因为它们只是评分的评估。不过

AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| where action_s =="Blocked"
| distinct requestUri_s, ruleId_s

运行 此查询获取被阻止的 uris 并使用它们来查找您可以禁用(如果需要)bu 运行 宁此查询的规则:

AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| where ruleId_s != "949110" and ruleId_s != "980130"
| where requestUri_s == "some-uri"
| distinct ruleId_s