Azure WAF Overview

Azure Web Application Firewall (WAF) has two distinctive properties:

  1. You have a Web Application Firewall (WAF) Policy which is attached to either an Application Gateway or a Front Door instance
  2. Front Door/Application Gateway can be configured to send Firewall (WAF) logs to a Log Analytics workspace
  3. There they can be viewed and reported on

What is Azure WAF Manager?

Azure WAF Manager is a SaaS tool that lets you easily manage and optimize your Azure Web Application Firewall (WAF) Policies, bring visibility over your Azure WAF traffic and provides a great toolset for your Azure WAF needs, such as log enrichment, false-positive suggestions, IP reputation scores, malicious confidence and much more. We also provide the ability to produce hourly, daily, monthly reports with everything needed. Works with both Front Door and Application Gateway WAF.

Why?

Anyone who has tried to tune an Azure WAF policy knows that it is extremely unfriendly. Also the Azure WAF policies are based on OWASP rulesets which can be very restrictive, therefore a lot of false-positives arise and finding them and whitelisting them becomes a chore.

How do we help?

First of all, tools like this come mostly out of necessity. We ourselves, have to tune hundreds of times a day various WAF policies and we just want to reduce the effort and have more visibility. We can proudly say that using the Azure WAF Manager can reduce time for doing the WAF tasks by 90% easily.

The things we do that you don't current have in the Azure Portal are:

  • Display the WAF logs in a beautiful dashboard with charts to help you understand the log and fitlerable log table

  • We enrich the log with additional data such as:

  • IP Information - Something that is crucially missing from the Log Analytics output. We will be displaying not only the IP but it's Malicious Score, Bot status, Tor status, Geolocation, ASN, Malicious reports. All this right in the log output!

    IP Reputation Table

  • Calculates Malicious confidence based on the Malicious score of the IP and it's behavior in the rest of the log entries. You can filter the log by Malicious Confidence and quickly find offenders or likely false-positives

    Malicious Score

  • Suggests whitelisting If the Malicious Confidence is 0, it will consider the request a false-positive and will allow you to whitelist this particular false-positives with a single click, directly from the log. Whitelisting via the Azure REST Api, takes ~ 1 second while from the portal ~ 1 minute! Saves huge time

    Whitelisting

More on Log Enrichment in further docs

You can see all this for yourself in our Demo section

Next - Go to - Getting Started