5.5 Web Application Firewall (WAF)
📘Microsoft Azure Networking Solutions (AZ-700)
Azure WAF protects your web applications from common threats like SQL injection, cross-site scripting (XSS), and other vulnerabilities. When you set up a WAF, you need to choose how it reacts to attacks. This is done using detection mode or prevention mode. Understanding these two modes is key for the AZ-700 exam.
1. Detection Mode (also called “Monitoring” mode)
- Purpose: To monitor and log traffic without blocking it.
- Function: WAF inspects incoming requests and records potential threats in logs, but it does not stop traffic.
- When to use:
- During initial deployment to understand the traffic pattern.
- When testing new rules to ensure no legitimate traffic is accidentally blocked.
- How it works in IT:
- Imagine your web app receives requests, some may look like attacks (e.g., someone entering suspicious SQL commands).
- In detection mode, WAF logs these requests in Azure Monitor or Log Analytics, but the web app still responds normally.
- IT teams review logs to fine-tune rules, reducing false positives before enforcing blocks.
Example IT scenario:
- Your organization has a web portal where users enter search queries. Some queries accidentally trigger WAF rules. By using detection mode first, you can see these “false positives” in the logs and adjust rules without affecting user experience.
2. Prevention Mode (also called “Blocking” mode)
- Purpose: To actively block malicious requests.
- Function: WAF inspects incoming requests and blocks traffic that matches threat rules.
- When to use:
- Once detection mode logs show which traffic is truly malicious.
- For production applications where security enforcement is required.
- How it works in IT:
- The WAF evaluates each request against configured rules (like SQL injection, XSS).
- If a request matches a rule, WAF returns an HTTP 403 Forbidden or other configured response, preventing the attack from reaching the app.
Example IT scenario:
- A user attempts to exploit a web app vulnerability using a malicious script. WAF in prevention mode blocks this request immediately, stopping the attack and protecting your web server.
3. How to Configure Detection or Prevention Mode in Azure WAF
Azure WAF can be deployed on Azure Application Gateway or Azure Front Door. The configuration is mostly the same:
Steps in Azure Portal (Application Gateway example):
- Go to your Application Gateway → Web Application Firewall.
- Select your WAF policy.
- Under Policy Settings, find Mode.
- Choose either:
- Detection → Logs only, no blocking.
- Prevention → Blocks malicious requests.
- Save the policy.
Note: You can also configure custom rules and set their action independently, e.g., a specific rule may be detection while the rest are prevention.
4. Exam Tips
- Remember: Detection = Monitor only, Prevention = Block threats.
- Remember the flow:
- Start with detection mode → check logs → adjust rules.
- Move to prevention mode → actively block attacks.
- Azure-specific: Logs for detection mode appear in Azure Monitor, Log Analytics, or Storage Account. Knowing how logging works is often tested.
- Custom rules: Even in prevention mode, you can set some rules to detection to avoid accidental blocking.
5. Key Points to Memorize for the Exam
| Feature | Detection Mode | Prevention Mode |
|---|---|---|
| Action | Logs threats only | Blocks threats |
| User Impact | No disruption | May block legitimate users if misconfigured |
| When to Use | Initial deployment, testing rules | Production, active protection |
| Logs | Recorded in Azure Monitor / Log Analytics | Also recorded in Azure Monitor / Log Analytics |
| Example | SQL injection attempt logged but allowed | SQL injection attempt blocked |
💡 Tip: In the exam, a question might describe a scenario like:
“Your web app receives suspicious requests, but you don’t want to block legitimate users during testing. Which WAF mode should you use?”
The answer is Detection Mode.
