Authentication

The first time you log in you will have to consent with our app to read your user profile data. Do not worry, we only ask for User.Read permissions and we read only your username.

Consent to our app

NOTE: You can only log in with a Work or School Microsoft account.

Revoking access

If at some point you want to stop using our services, it is good practice to also revoke the User.Read access. You can do that by going to https://myapps.microsoft.com/, find the ManagedWAF app and revoke the access. If you don't consume our services, we won't use this access but we encourage best practices.

Organization

After a successful login, you need to create an "organization" with us. This is a logical group that we use internally. Call it a subscription or organization, they are very similar. It is the body that will hold your WAF Policies, Users, Service Principal, Limits and etc.

Log Analytics workspace

When you register for an organization with us, we will ask you to also give us the workspace id of the Log Analytics workspace that we will be using.

The general idea is the following:

  • You send your Front Door or Application Gateway WAF Logs to a Log Analytics workspace in your environment
  • You register the workspace id (so we know it) under your newly created organization with us
  • Provide us access to it, so we can display you the WAF logs through our portal

NOTE: You can only register one workspace id. This means that if you are not sending all your WAF logs to this workspace id, you should consider doing it. If not, the only logs you will be seeing through our services are going to be the logs that reside in this paricular workspace.

Logs Setup

First of all, you need to make sure that you are sending both Access and Firewall logs to the same log analytics workspace that you will provide us access to and have registered with us when you created the organization.

This is done by going to the Diagnostic setting on the Front Door or Application Gateway and set up log forwarding.

Front Door: Send Front Door Logs to Log Analytics workspace

Application Gateway: Send Application Gateway Logs to Log Analytics workspace

NOTE: Make sure that you are sending them to the same Log Analytics workspace you provide when registering an Organization with us

Granting Azure WAF Manager Access

In order for us to reach your WAF Logs, we need a Read-only access to your Log Analytics workspace where you send your WAF logs. There are a couple of ways to do this but we have chosen the most modern and clean approach - Azure Lighthouse. There are two ways of granting us access via Azure Lighthouse. Grant access to subscription or resource group. Of course we encourage you to follow the least priviledge way which is granting us access to the resource group in which the Log Analaytics workspace resides. At this stage there is no way of granting access ONLY to a single resource.

To grant us access via Azure Lighthouse, you can choose one of the two ARM Templates we have ready for you. There are super-easy few-click setups.

Azure Lighthouse Resource Group

This template will provide us with Log Analytics Reader role over the resource group in quesiton.

Azure Lighthouse Resource Group

or copy link

https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FSunwell-Solutions-LTD%2Fazure-waf-manager-arm-templates%2Fmain%2Fawm-azure-lighthouse-resourcegroup.json

Azure Lighthouse Subscription

This template will provide us with LogAnalytics Reader role over the subscription in quesiton

Azure Lighthouse Subscription

or copy link

https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FSunwell-Solutions-LTD%2Fazure-waf-manager-arm-templates%2Fmain%2Fawm-azure-lighthouse-subscription.json

The deployment looks like this (Resource group choice). Just select the subscription and then the resource group in which the Log Analytics workspace resides.

Azure Lighthouse deployment

Once this is deployed, go to Azure Lighthouse, then Service Providers and select Service provider offers. There you should see us. The name of the Offer is Managed Azure WAF. Browse it to see details and the role assignments. Here is how it should look like:

Azure Lighthouse role assignment overview

We only get Log Analytics Reader role and nothing else.

Revoking Access

To fully revoke our access, you can delete our entire service provider offer from the Service provider offers blade in Azure Lighthouse, there is a delete button where you can easily revoke the access.

Revoke Log Analytics Reader role

If you want to keep our service provider offer but only remove the specific Log Analytics Reader role to the subscription/resource group, go to Delegations instead and delete the delegation from there.

Adding WAF Policies

Now that you have taken care of the logs access, it's time to add WAF Policies to our portal. Go to Organizations -> WAF Policies. Add the WAF policies you want to manage there. The info we require per WAF Policy is the following:

  • WAF Policy name
  • Subscription id
  • Resource Group
  • Type

We need this info so we can call the Azure REST API when we need to fetch the WAF Policy object.

If you have finished the steps until now you should be able to go to Dashboard and look at WAF Logs.

Service Principal

We can not only display WAF logs but we can whitelist parameters directly form the log view. However, we cannot do this with the access we have until now, which is Log Analytics Reader. In order to make changes to a WAF Policy we would need Contributor role on each WAF policy you want to manage through our portal. Here is how to do it.

Create Service Principal

Go to your Azure Portal and navigate to Azure Active Directory and then App registrations. Create a New registration. Give it an appropriate name (WAFManager is cool) and click Register.

NOTE: App Registration and Service Principal are interchangeble here

Now open the newly created Service Principal and navigate to Certificates & Secrets. Create a new Client secret. The value will only be shown once so record it.

Return to our portal under Organization (best in an already opened tab or a new tab so you can copy the info). Add the details of the newly created Service Principal. Apart from the secret, all the required details are in the Overview blade of the Service Principal.

Now go to all of the WAF Policies you have added or plan to add in our portal and give Contributor role to the Service Principal.

That's it! You should be able to fully consume our services now.

Congratulations and Enjoy!

Previous - Go to - Overview

Next Go to - How it works