Azure Web Application Firewall (WAF) — Operation and Deployment


Even if there are no known vulnerabilities in the web application currently in operation, new vulnerabilities will be discovered in the future, and it may be necessary to upgrade the middle ware or it may be difficult to deal with them immediately. I think that the introduction of WAF is a precautionary measure against unknown vulnerabilities by blocking suspicious requests before they are processed by the application . Of course, WAF does not completely prevent attacks, so it is important to keep your application invulnerable.

Start work with WAF in Application Gateway

Enable application gateway diagnostic logging

Transfer the WAF logs to Azure Log Analytics . This allows Azure Log Analytics to search your logs in a query language called Kusto.

Enable WAF function

Enable WAF in detection mode . If you set it to prevent mode, if there is a false positive request, it will be blocked and the application will not work properly. When using the Azure portal, you can change the settings from

Firewall log collection

If there is a request that matches the rule, it AzureDiagnosticswill be logged in the diagnostic log ( ), which can be viewed or exported to a csv file by querying from Azure Log Analytics . ApplicationGatewayFirewallLog.

Azure Diagnostics
| where Category == "ApplicationGatewayFirewallLog"
| sort by TimeGenerated asc

Problematic requests and consider how handle it

Based on the logs collected above, You can detected false positive requests are summarized. To prevent WAF from blocking successful requests, one of the following actions must be taken for detected false positive requests.

  • Exclude from WAF rules.

Log monitoring and alerting

It is also good to prepare a mechanism to notify when the WAF detects it. This needed because it is necessary to understand the situation when an actual attack is made and to take action when a normal request is blocked.

Switch to prevention mode

We should enable prevention mode when false positive requests are no longer detected and alerts are set.


I think so we should use it in especially a production environment and if good we adjust WAF rules then will be working fine and will detecting attacks without major troubles.

DevOps Consultant. I’m strongly focused on automation, security, and reliability.