Adding Firewall Exceptions to an ARM Template

Share on facebook
Share on twitter
Share on linkedin

I was recently working at a client where we have an Azure Service Fabric Cluster with an Application Gateway in front to direct traffic to the individual services. The Application Gateway was configured with a Web Application Firewall (WAF) with OWASP security rules. The default OWASP rules can trigger a lot of false positives and block a lot of requests in the gateway. You can disable individual rules in the firewall by going into the Azure portal. The problem with this approach is that our entire Azure infrastructure was built using Azure Resource Manager (ARM) templates. Whenever I would redeploy the gateway to add new rules to direct the traffic it would reset the firewall rules and I would have to go back into the portal and disable the rules again.

After doing some research I found an ARM template on GitHub that included a property called “webApplicationFirewallConfiguration.disabledRuleGroups”. This sounded exactly like what I needed to be able to do. The problem was that the GitHub example was empty:

"webApplicationFirewallConfiguration": {
    "enabled": "[parameters('wafEnabled')]",
    "firewallMode": "[parameters('wafMode')]",
    "ruleSetType": "[parameters('wafRuleSetType')]",
    "ruleSetVersion": "[parameters('wafRuleSetVersion')]",
    "disabledRuleGroups": []
}

I tried to do some searching to find any examples of how to use this property but my searches were unsuccessful. After some trial and error I was able to figure it out. Here is an example of how to disable individual firewall rules in a Web Application Firewall.

"webApplicationFirewallConfiguration": {
    "enabled": true,
    "firewallMode": "Prevention",
    "ruleSetType": "OWASP",
    "ruleSetVersion": "2.2.9",
    "disabledRuleGroups": [
    {
        "ruleGroupName": "crs_40_generic_attacks",
        "rules": ["960024"]
    },
    {
        "ruleGroupName": "crs_41_sql_injection_attacks",
        "rules": ["950901", "981172"]
    }
]

You need to provide the name of the rule group in the ‘ruleGroupName’ property and then specify which individual rules you want to disable from within that rule group. You can see the full list of rules by using the Azure portal, but you can also see which rules might make sense to disable by viewing a list of the most frequent false positives.

More to explore