通过 Azure 门户自定义 Web 应用程序防火墙规则Customize web application firewall rules through the Azure portal

Azure 应用程序网关 Web 应用程序防火墙 (WAF) 可为 Web 应用程序提供保护。The Azure Application Gateway web application firewall (WAF) provides protection for web applications. 这些保护通过打开 Web 应用程序安全性项目 (OWASP) 核心规则集 (CRS) 来提供。These protections are provided by the Open Web Application Security Project (OWASP) Core Rule Set (CRS). 某些规则可能会导致误报,并会阻止实际流量。Some rules can cause false positives and block real traffic. 出于此原因,应用程序网关提供了自定义规则组和规则的功能。For this reason, Application Gateway provides the capability to customize rule groups and rules. 有关特定规则组和规则的详细信息,请参阅 Web 应用程序防火墙 CRS 规则组和规则列表For more information on the specific rule groups and rules, see List of web application firewall CRS rule groups and rules.

Note

如果应用程序网关未使用 WAF 层,会在右侧窗格中显示“将应用程序网关升级到 WAF 层”选项。If your application gateway is not using the WAF tier, the option to upgrade the application gateway to the WAF tier appears in the right pane.

启用 WAF

查看规则组和规则View rule groups and rules

查看规则组和规则To view rule groups and rules

  1. 浏览到应用程序网关并选择“Web 应用程序防火墙” 。Browse to the application gateway, and then select Web application firewall.
  2. 选择“高级规则配置” 。Select Advanced rule configuration.
    此视图会在随所选规则集提供的所有规则组页上显示一个表。This view shows a table on the page of all the rule groups provided with the chosen rule set. 已选中所有规则的复选框。All of the rule's check boxes are selected.

配置已禁用的规则

搜索要禁用的规则Search for rules to disable

“Web 应用程序防火墙设置”页面提供了通过文本搜索筛选规则的功能。The Web application firewall settings page provides the capability to filter the rules through a text search. 结果仅显示包含所搜索的文本的规则组和规则。The result displays only the rule groups and rules that contain the text you searched for.

搜索规则

禁用规则组和规则Disable rule groups and rules

Important

禁用任何规则组或规则时要格外小心。Use caution when disabling any rule groups or rules. 这可能会加大你的安全风险。This may expose you to increased security risks.

禁用规则时可以禁用整个规则组,也可以禁用一个或多个规则组下的特定规则。When you're disabling rules, you can disable an entire rule group or specific rules under one or more rule groups.

禁用规则组或特定规则To disable rule groups or specific rules

  1. 搜索想要禁用的规则或规则组。Search for the rules or rule groups that you want to disable.
  2. 取消选中与要禁用的规则对应的复选框。Clear the check boxes for the rules that you want to disable.
  3. 选择“保存” 。Select Save.

保存更改

强制性规则Mandatory rules

以下列表包含导致 WAF 在防护模式下阻止请求的条件。The following list contains conditions that cause the WAF to block the request while in Prevention Mode. 在检测模式下,它们将记录为异常。In Detection Mode, they're logged as exceptions.

无法配置或禁用这些规则:These can't be configured or disabled:

  • 除非关闭正文检查(XML、JSON、表单数据),否则无法分析请求正文会导致请求被阻止Failure to parse the request body results in the request being blocked, unless body inspection is turned off (XML, JSON, form data)
  • 请求正文(不带文件)数据长度大于配置的限制Request body (with no files) data length is larger than the configured limit
  • 请求正文(包括文件)大于限制Request body (including files) is larger than the limit
  • WAF 引擎发生内部错误An internal error happened in the WAF engine

CRS 3.x 特定:CRS 3.x specific:

  • 入站异常分数超出阈值Inbound anomaly score exceeded threshold

后续步骤Next steps

配置你禁用的规则后,可以了解如何查看 WAF 日志。After you configure your disabled rules, you can learn how to view your WAF logs. 有关详细信息,请参阅应用程序网关诊断For more information, see Application Gateway diagnostics.