什么是 Azure 应用程序网关上的 Azure Web 应用程序防火墙?What is Azure Web Application Firewall on Azure Application Gateway?

Azure 应用程序网关提供的 Azure Web 应用程序防火墙 (WAF) 可以对 Web 应用程序进行集中保护,避免其受到常见的攻击和漏洞伤害。Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web 应用程序已逐渐成为利用常见已知漏洞的恶意攻击的目标。Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL 注入和跨站点脚本是最常见的攻击。SQL injection and cross-site scripting are among the most common attacks.

应用程序网关上的 WAF 基于开放 Web 应用程序安全项目 (OWASP) 中的核心规则集 (CRS) 3.1、3.0 或 2.2.9。WAF on Application Gateway is based on Core Rule Set (CRS) 3.1, 3.0, or 2.2.9 from the Open Web Application Security Project (OWASP). WAF 会自动更新以包含针对新漏洞的保护,而无需其他配置。The WAF automatically updates to include protection against new vulnerabilities, with no additional configuration needed.

下面列出了 WAF 策略中存在的所有 WAF 功能。All of the WAF features listed below exist inside of a WAF Policy. 可以创建多个策略,并可将它们与应用程序网关或应用程序网关上的单个侦听器或基于路径的路由规则相关联。You can create multiple policies, and they can be associated with an Application Gateway, to individual listeners, or to path-based routing rules on an Application Gateway. 这样,如果需要,你可以为应用程序网关后面的每个站点提供单独的策略。This way, you can have separate policies for each site behind your Application Gateway if needed.

应用程序网关 WAF 关系图

应用程序网关作为应用程序传送控制器 (ADC) 运行。Application Gateway operates as an application delivery controller (ADC). 它提供了传输层安全性 (TLS)(以前称为安全套接字层 (SSL))、终止、基于 Cookie 的会话相关性、轮循负载分发、基于内容的路由、托管多个网站的功能,以及安全增强功能。It offers Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), termination, cookie-based session affinity, round-robin load distribution, content-based routing, ability to host multiple websites, and security enhancements.

应用程序网关安全增强功能包括 TLS 策略管理和端到端 TLS 支持。Application Gateway security enhancements include TLS policy management and end-to-end TLS support. 将 WAF 集成到应用程序网关,从而增强了应用程序的安全性。Application security is strengthened by WAF integration into Application Gateway. 此集成可以保护 Web 应用程序免受常见漏洞的侵害。The combination protects your web applications against common vulnerabilities. 它还提供了易于配置的中央位置来进行管理。And it provides an easy-to-configure central location to manage.


本部分介绍 WAF 应用程序网关上 WAF 提供的核心优势。This section describes the core benefits that WAF on Application Gateway provides.


  • 无需修改后端代码即可保护 Web 应用程序免受 Web 漏洞和攻击的威胁。Protect your web applications from web vulnerabilities and attacks without modification to back-end code.

  • 同时保护多个 Web 应用程序。Protect multiple web applications at the same time. 应用程序网关的实例最多可以托管 40 个受 Web 应用程序防火墙保护的网站。An instance of Application Gateway can host up to 40 websites that are protected by a web application firewall.

  • 为同一 WAF 后面的不同站点创建自定义 WAF 策略Create custom WAF policies for different sites behind the same WAF

  • 利用 IP 信誉规则集保护 Web 应用程序免受恶意机器人的攻击(预览版)Protect your web applications from malicious bots with the IP Reputation ruleset (preview)


  • 使用实时 WAF 日志监视 Web 应用程序受到的攻击。Monitor attacks against your web applications by using a real-time WAF log. 此日志与 Azure Monitor 相集成,让你可以跟踪 WAF 警报并轻松监视趋势。The log is integrated with Azure Monitor to track WAF alerts and easily monitor trends.

  • 应用程序网关 WAF 已与 Azure 安全中心集成。The Application Gateway WAF is integrated with Azure Security Center. 安全中心可集中查看所有 Azure 资源的安全状态。Security Center provides a central view of the security state of all your Azure resources.


  • 根据应用程序的要求自定义 WAF 规则和规则组,并消除误报。Customize WAF rules and rule groups to suit your application requirements and eliminate false positives.

  • 为 WAF 后面的每个站点关联 WAF 策略,以允许进行特定于站点的配置Associate a WAF Policy for each site behind your WAF to allow for site-specific configuration

  • 根据应用程序的需求创建自定义规则Create custom rules to suit the needs of your application


  • SQL 注入保护。SQL-injection protection.
  • 跨站点脚本保护。Cross-site scripting protection.
  • 其他常见 Web 攻击防护,例如命令注入、HTTP 请求走私、HTTP 响应拆分和远程文件包含。Protection against other common web attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion.
  • 防止 HTTP 协议违反行为的保护。Protection against HTTP protocol violations.
  • 防止 HTTP 协议异常行为(例如缺少主机用户代理和接受标头)的保护。Protection against HTTP protocol anomalies, such as missing host user-agent and accept headers.
  • 防范爬网程序和扫描程序。Protection against crawlers and scanners.
  • 检测常见应用程序错误配置(例如 Apache 和 IIS 等)。Detection of common application misconfigurations (for example, Apache and IIS).
  • 具有下限和上限的可配置请求大小限制。Configurable request size limits with lower and upper bounds.
  • 排除列表允许你忽略 WAF 评估中的某些请求属性。Exclusion lists let you omit certain request attributes from a WAF evaluation. 常见示例是 Active Directory 插入的令牌,这些令牌用于身份验证或密码字段。A common example is Active Directory-inserted tokens that are used for authentication or password fields.
  • 根据应用程序的具体需求创建自定义规则。Create custom rules to suit the specific needs of your applications.
  • 按地理位置筛选流量,以允许或阻止从特定的国家/地区访问你的应用程序。Geo-filter traffic to allow or block certain countries/regions from gaining access to your applications. (预览版)(preview)
  • 使用机器人缓解规则集防范应用程序遭到机器人攻击。Protect your applications from bots with the bot mitigation ruleset. (预览版)(preview)
  • 检查请求正文中的 JSON 和 XMLInspect JSON and XML in the request body

WAF 策略和规则WAF policy and rules

若要在应用程序网关上启用 Web 应用程序防火墙,必须创建 WAF 策略。To enable a Web Application Firewall on Application Gateway, you must create a WAF policy. 此策略是指存在所有托管规则、自定义规则、排除项和其他自定义项(如文件上传限制)的位置。This policy is where all of the managed rules, custom rules, exclusions, and other customizations such as file upload limit exist.

可以配置一个 WAF 策略,然后将该策略与一个或多个应用程序网关相关联,以提供保护。You can configure a WAF policy and associate that policy to one or more application gateways for protection. WAF 策略包含两种类型的安全规则:A WAF policy consists of two types of security rules:

  • 你创建的自定义规则Custom rules that you create

  • 托管规则集,即由 Azure 托管的预配置规则集的集合Managed rule sets that are a collection of Azure-managed pre-configured set of rules

如果两者均存在,则先处理自定义规则,然后处理托管规则集中的规则。When both are present, custom rules are processed before processing the rules in a managed rule set. 规则由匹配条件、优先级和操作组成。A rule is made of a match condition, a priority, and an action. 支持的操作类型包括:ALLOW、BLOCK 和 LOG。Action types supported are: ALLOW, BLOCK, and LOG. 可以组合托管规则和自定义规则以创建满足特定应用程序保护要求的完全自定义策略。You can create a fully customized policy that meets your specific application protection requirements by combining managed and custom rules.

策略中的规则按优先顺序进行处理。Rules within a policy are processed in a priority order. “优先级”是唯一的整数,定义规则的处理顺序。Priority is a unique integer that defines the order of rules to process. 整数值越小表示优先级越高,这些规则的评估顺序先于整数值较大的规则。Smaller integer value denotes a higher priority and those rules are evaluated before rules with a higher integer value. 匹配规则后,规则中定义的相应操作将应用于请求。Once a rule is matched, the corresponding action that was defined in the rule is applied to the request. 处理此类匹配后,不再进一步处理优先级较低的规则。Once such a match is processed, rules with lower priorities aren't processed further.

由应用程序网关提供的 Web 应用,可以在全局级别、每个站点级别或每个 URI 级别与 WAF 策略关联。A web application delivered by Application Gateway can have a WAF policy associated to it at the global level, at a per-site level, or at a per-URI level.

核心规则集Core rule sets

应用程序网关支持三个规则集:CRS 3.1、CRS 3.0 和 CRS 2.2.9。Application Gateway supports three rule sets: CRS 3.1, CRS 3.0, and CRS 2.2.9. 这些规则保护 Web 应用程序免受恶意活动的攻击。These rules protect your web applications from malicious activity.

有关详细信息,请参阅 Web 应用程序防火墙 CRS 规则组和规则For more information, see Web application firewall CRS rule groups and rules.

自定义规则Custom rules

应用程序网关也支持自定义规则。Application Gateway also supports custom rules. 使用自定义规则,可以创建自己的规则,将针对通过 WAF 传递的每个请求评估这些规则。With custom rules, you can create your own rules, which are evaluated for each request that passes through WAF. 这些规则的优先级高于托管规则集中的其余规则。These rules hold a higher priority than the rest of the rules in the managed rule sets. 如果满足一组条件,则执行操作以进行允许或阻止。If a set of conditions is met, an action is taken to allow or block.

有关自定义规则的详细信息,请参阅应用程序网关的自定义规则For more information on custom rules, see Custom Rules for Application Gateway.

机器人缓解(预览版)Bot Mitigation (preview)

可以为 WAF 启用托管机器人防护规则集,以便阻止或记录来自已知恶意 IP 地址的请求以及托管规则集。A managed Bot protection rule set can be enabled for your WAF to block or log requests from known malicious IP addresses, alongside the managed ruleset. IP 地址源自 Microsoft 威胁智能源。The IP addresses are sourced from the Microsoft Threat Intelligence feed. Intelligent Security Graph 为 Microsoft 威胁智能助力,它已得到 Azure Security Center 等多项服务的运用。Intelligent Security Graph powers Microsoft threat intelligence and is used by multiple services including Azure Security Center.


机器人防护规则集当前为公共预览版,并提供预览版服务级别协议。Bot protection rule set is currently in public preview and is provided with a preview service level agreement. 某些功能可能不受支持或者受限。Certain features may not be supported or may have constrained capabilities. 有关详细信息,请参阅 Azure 预览版补充使用条款See the Supplemental Terms of Use for Azure Previews for details.

如果启用了机器人防护,则与恶意机器人的客户端 IP 匹配的传入请求将记录在防火墙日志中。有关详细信息,请参阅下文。If Bot Protection is enabled, incoming requests that match Malicious Bot's client IPs are logged in the Firewall log, see more information below. 可以从存储帐户、事件中心或日志分析访问 WAF 日志。You may access WAF logs from storage account, event hub, or log analytics.

WAF 模式WAF modes

应用程序网关 WAF 可配置为在以下两种模式中运行:The Application Gateway WAF can be configured to run in the following two modes:

  • 检测模式:监视和记录所有威胁警报。Detection mode: Monitors and logs all threat alerts. 在“诊断”部分打开应用程序网关的日志记录诊断。You turn on logging diagnostics for Application Gateway in the Diagnostics section. 还必须确保已选择并打开 WAF 日志。You must also make sure that the WAF log is selected and turned on. 在检测模式下运行时,Web 应用程序防火墙不会阻止传入的请求。Web application firewall doesn't block incoming requests when it's operating in Detection mode.
  • 阻止模式:阻止规则检测到的入侵和攻击。Prevention mode: Blocks intrusions and attacks that the rules detect. 攻击者会收到“403 未授权访问”异常,且连接会结束。The attacker receives a "403 unauthorized access" exception, and the connection is closed. 阻止模式会在 WAF 日志中记录此类攻击。Prevention mode records such attacks in the WAF logs.


建议在生产环境中的短时间内,在检测模式下运行新部署的 WAF。It is recommended that you run a newly deployed WAF in Detection mode for a short period of time in a production environment. 这样,在转换为阻止模式之前,便有机会获取防火墙日志并更新任何异常或自定义规则This provides the opportunity to obtain firewall logs and update any exceptions or custom rules prior to transition to Prevention mode. 这有助于减少意外阻止流量的发生次数。This can help reduce the occurrence of unexpected blocked traffic.

异常评分模式Anomaly Scoring mode

OWASP 有两种模式,用于决定是否阻止流量:传统模式和异常评分模式。OWASP has two modes for deciding whether to block traffic: Traditional mode and Anomaly Scoring mode.

在传统模式下,与任何规则匹配的流量被视为独立于任何其他规则匹配。In Traditional mode, traffic that matches any rule is considered independently of any other rule matches. 此模式易于理解。This mode is easy to understand. 但其局限在于,未提供相关信息以表明与特定请求匹配的规则数。But the lack of information about how many rules match a specific request is a limitation. 因此,引入了异常评分模式。So, Anomaly Scoring mode was introduced. 这是 OWASP 3.x 的默认模式。It's the default for OWASP 3.x.

在异常评分模式下,当防火墙处于阻止模式时,不会立即阻止与任何规则匹配的流量。In Anomaly Scoring mode, traffic that matches any rule isn't immediately blocked when the firewall is in Prevention mode. 规则具有一定的严重性:“严重”、“错误”、“警告”或“通知”。Rules have a certain severity: Critical, Error, Warning, or Notice. 此严重性会影响请求的数值,该数值称为异常分数。That severity affects a numeric value for the request, which is called the Anomaly Score. 例如,一个“警告”规则匹配对应的分数为 3。For example, one Warning rule match contributes 3 to the score. 一个“严重”规则匹配对应的分数为 5。One Critical rule match contributes 5.

严重性Severity ValueValue
严重Critical 55
错误Error 44
警告Warning 33
通知Notice 22

异常分数的阈值为 5,用于阻止流量。There's a threshold of 5 for the Anomaly Score to block traffic. 因此,单个“严重”规则匹配足以让应用程序网关 WAF 阻止请求,即使在阻止模式下也是如此。So, a single Critical rule match is enough for the Application Gateway WAF to block a request, even in Prevention mode. 但一个“警告”规则匹配仅使异常分数增加 3,而这并不足以阻止流量。But one Warning rule match only increases the Anomaly Score by 3, which isn't enough by itself to block the traffic.


WAF 规则匹配流量时记录的消息包括操作值“已阻止”。The message that's logged when a WAF rule matches traffic includes the action value "Blocked." 但实际上只会在异常分数为 5 或更高时阻止流量。But the traffic is actually only blocked for an Anomaly Score of 5 or higher.

WAF 监视WAF monitoring

监视应用程序网关的运行状况非常重要。Monitoring the health of your application gateway is important. 通过与 Azure 安全中心、Azure Monitor 和 Azure Monitor 日志相集成,可以监视 Web 应及其保护的应用程序的运行状况。Monitoring the health of your WAF and the applications that it protects are supported by integration with Azure Security Center, Azure Monitor, and Azure Monitor logs.

应用程序网关 WAF 诊断关系图

Azure MonitorAzure Monitor

应用程序网关日志与 Azure Monitor 相集成。Application Gateway logs are integrated with Azure Monitor. 这样,便可以跟踪包括 WAF 警报和日志在内的诊断信息。This allows you to track diagnostic information, including WAF alerts and logs. 可以在门户中应用程序网关资源的“诊断”选项卡上访问此功能,也可以通过 Azure Monitor 直接访问此功能。You can access this capability on the Diagnostics tab in the Application Gateway resource in the portal or directly through Azure Monitor. 若要详细了解如何启用日志,请参阅应用程序网关诊断To learn more about enabling logs, see Application Gateway diagnostics.

Azure 安全中心Azure Security Center

安全中心可帮助防范、检测和应对威胁。Security Center helps you prevent, detect, and respond to threats. 它可提高对 Azure 资源安全性的可见性和控制力度。It provides increased visibility into and control over the security of your Azure resources. 应用程序网关已与安全中心集成。Application Gateway is integrated with Security Center. 安全中心会扫描环境以检测未受保护的 Web 应用程序。Security Center scans your environment to detect unprotected web applications. 它可以建议应用程序网关 WAF 保护这些易受攻击的资源。It can recommend Application Gateway WAF to protect these vulnerable resources. 直接从安全中心创建防火墙。You create the firewalls directly from Security Center. 这些 WAF 实例已与安全中心集成。These WAF instances are integrated with Security Center. 他们将警报和运行状况信息发送到安全中心以进行报告。They send alerts and health information to Security Center for reporting.



应用程序网关 WAF 提供有关检测到的每个威胁的详细报告。Application Gateway WAF provides detailed reporting on each threat that it detects. 日志记录已与 Azure 诊断日志集成。Logging is integrated with Azure Diagnostics logs. 警报以 json 格式记录。Alerts are recorded in the .json format. 这些日志可与 Azure Monitor 日志集成。These logs can be integrated with Azure Monitor logs.


  "operationName": "ApplicationGatewayFirewall",
  "time": "2017-03-20T15:52:09.1494499Z",
  "category": "ApplicationGatewayFirewallLog",
  "properties": {
      "instanceId": "ApplicationGatewayRole_IN_0",
      "clientIp": "",
      "clientPort": "0",
      "requestUri": "/",
      "ruleSetType": "OWASP",
      "ruleSetVersion": "3.0",
      "ruleId": "920350",
      "ruleGroup": "920-PROTOCOL-ENFORCEMENT",
      "message": "Host header is a numeric IP address",
      "action": "Matched",
      "site": "Global",
      "details": {
        "message": "Warning. Pattern match \"^[\\\\d.:]+$\" at REQUEST_HEADERS:Host ....",
        "data": "",
        "file": "rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
        "line": "791"
      "hostname": "",
      "transactionId": "16861477007022634343"
      "policyId": "/subscriptions/1496a758-b2ff-43ef-b738-8e9eb5161a86/resourceGroups/drewRG/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/globalWafPolicy",
      "policyScope": "Global",
      "policyScopeName": " Global "

应用程序网关 WAF SKU 定价Application Gateway WAF SKU pricing

WAF_v1 和 WAF_v2 SKU 的定价模型不同。The pricing models are different for the WAF_v1 and WAF_v2 SKUs. 有关详细信息,请参阅应用程序网关定价页。Please see the Application Gateway pricing page to learn more.

后续步骤Next steps