Azure 应用程序网关上的 Azure Web 应用程序防火墙Azure Web Application Firewall on Azure Application Gateway

Azure 应用程序网关提供的 Azure Web 应用程序防火墙 (WAF) 可以对 Web 应用程序进行集中保护,避免其受到常见的攻击和漏洞伤害。Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web 应用程序已逐渐成为利用常见已知漏洞的恶意攻击的目标。Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL 注入和跨站点脚本是最常见的攻击。SQL injection and cross-site scripting are among the most common attacks.

应用程序网关上的 WAF 基于开放 Web 应用程序安全项目 (OWASP) 中的核心规则集 (CRS) 3.1、3.0 或 2.2.9。WAF on Application Gateway is based on Core Rule Set (CRS) 3.1, 3.0, or 2.2.9 from the Open Web Application Security Project (OWASP). WAF 会自动更新以包含针对新漏洞的保护,而无需其他配置。The WAF automatically updates to include protection against new vulnerabilities, with no additional configuration needed.

下面列出了 WAF 策略中存在的所有 WAF 功能。All of the WAF features listed below exist inside of a WAF Policy. 可以创建多个策略,并可将它们与应用程序网关或应用程序网关上的单个侦听器或基于路径的路由规则相关联。You can create multiple policies, and they can be associated with an Application Gateway, to individual listeners, or to path-based routing rules on an Application Gateway. 这样,如果需要,你可以为应用程序网关后面的每个站点提供单独的策略。This way, you can have separate policies for each site behind your Application Gateway if needed.

备注

每个站点和每个 URI 的 WAF 策略均为公共预览版。Per-site and per-URI WAF Policies are in Public Preview. 这意味着此功能受 Microsoft 补充使用条款的约束。That means this feature is subject to Microsoft's Supplemental Terms of Use. 有关详细信息,请参阅适用于 Azure 预览版的补充使用条款For more information, see Supplemental Terms of Use for Azure Previews.

应用程序网关 WAF 示意图

应用程序网关以应用程序传送控制器 (ADC) 的形式运行。Application Gateway operates as an application delivery controller (ADC). 它提供安全套接字层 (SSL) 终止、基于 Cookie 的会话相关性、轮循负载分配、基于内容的路由,以及托管多个网站和安全增强功能的能力。It offers Secure Sockets Layer (SSL) termination, cookie-based session affinity, round-robin load distribution, content-based routing, ability to host multiple websites, and security enhancements.

应用程序网关安全增强功能包括 SSL 策略管理和端到端 SSL 支持。Application Gateway security enhancements include SSL policy management and end-to-end SSL support. WAF 与应用程序网关集成,使应用程序的安全性得到增强。Application security is strengthened by WAF integration into Application Gateway. 这种组合可使 Web 应用程序免受常见漏洞的威胁。The combination protects your web applications against common vulnerabilities. 此外,WAF 提供一个易于配置的中央位置用于管理应用程序。And it provides an easy-to-configure central location to manage.

优点Benefits

本部分介绍 WAF 应用程序网关上 WAF 提供的核心优势。This section describes the core benefits that WAF on Application Gateway provides.

保护Protection

  • 无需修改后端代码即可保护 Web 应用程序免受 Web 漏洞和攻击的威胁。Protect your web applications from web vulnerabilities and attacks without modification to back-end code.

  • 同时保护多个 Web 应用程序。Protect multiple web applications at the same time. 应用程序网关的实例最多可以托管 40 个受 Web 应用程序防火墙保护的网站。An instance of Application Gateway can host of up to 40 websites that are protected by a web application firewall.

  • 为同一 WAF 后面的不同站点创建自定义 WAF 策略Create custom WAF policies for different sites behind the same WAF

  • 利用 IP 信誉规则集保护 Web 应用程序免受恶意机器人的攻击(预览版)Protect your web applications from malicious bots with the IP Reputation ruleset (preview)

监视Monitoring

  • 使用实时 WAF 日志监视 Web 应用程序受到的攻击。Monitor attacks against your web applications by using a real-time WAF log. 该日志与 Azure Monitor 集成,可用于跟踪 WAF 警报和轻松监视趋势。The log is integrated with Azure Monitor to track WAF alerts and easily monitor trends.

  • 应用程序网关 WAF 已与 Azure 安全中心集成。The Application Gateway WAF is integrated with Azure Security Center. 在安全中心可以集中查看所有 Azure 资源的安全状态。Security Center provides a central view of the security state of all your Azure resources.

自定义Customization

  • 根据应用程序的要求自定义 WAF 规则和规则组,并消除误报。Customize WAF rules and rule groups to suit your application requirements and eliminate false positives.

  • 为 WAF 后面的每个站点关联 WAF 策略,以允许进行特定于站点的配置Associate a WAF Policy for each site behind your WAF to allow for site-specific configuration

  • 根据应用程序的需求创建自定义规则Create custom rules to suit the needs of your application

功能Features

  • SQL 注入防护。SQL-injection protection.
  • 跨站点脚本防护。Cross-site scripting protection.
  • 防范其他常见 Web 攻击,例如命令注入、HTTP 请求走私、HTTP 响应拆分和远程文件包含。Protection against other common web attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion.
  • 防范 HTTP 协议违规。Protection against HTTP protocol violations.
  • 防范 HTTP 协议异常,例如缺少主机用户代理和接受标头。Protection against HTTP protocol anomalies, such as missing host user-agent and accept headers.
  • 防范爬网程序和扫描程序。Protection against crawlers and scanners.
  • 检测常见应用程序错误配置(例如 Apache 和 IIS)。Detection of common application misconfigurations (for example, Apache and IIS).
  • 可配置请求大小的下限和上限。Configurable request size limits with lower and upper bounds.
  • 使用排除列表可以忽略 WAF 评估中的某些请求属性。Exclusion lists let you omit certain request attributes from a WAF evaluation. 常见示例是 Active Directory 插入的令牌,这些令牌用于身份验证或密码字段。A common example is Active Directory-inserted tokens that are used for authentication or password fields.
  • 根据应用程序的具体需求创建自定义规则。Create custom rules to suit the specific needs of your applications.
  • 按地理位置筛选流量,以允许或阻止从特定的国家/地区访问你的应用程序。Geo-filter traffic to allow or block certain countries from gaining access to your applications. (预览版)(preview)
  • 使用机器人缓解规则集防范应用程序遭到机器人攻击。Protect your applications from bots with the bot mitigation ruleset. (预览版)(preview)

WAF 策略WAF Policy

若要在应用程序网关上启用 Web 应用程序防火墙,必须创建 WAF 策略。To enable a Web Application Firewall on an Application Gateway, you must create a WAF Policy. 此策略是指存在所有托管规则、自定义规则、排除项和其他自定义项(如文件上传限制)的位置。This Policy is where all of the managed rules, custom rules, exclusions, and other customizations such as file upload limit exist.

核心规则集Core rule sets

应用程序网关支持三个规则集:CRS 3.1、CRS 3.0 和 CRS 2.2.9。Application Gateway supports three rule sets: CRS 3.1, CRS 3.0, and CRS 2.2.9. 这些规则保护 Web 应用程序免受恶意活动的攻击。These rules protect your web applications from malicious activity.

有关详细信息,请参阅 Web 应用程序防火墙 CRS 规则组和规则For more information, see Web application firewall CRS rule groups and rules.

自定义规则Custom rules

应用程序网关也支持自定义规则。Application Gateway also supports custom rules. 使用自定义规则,可以创建自己的规则,这些规则对通过 WAF 传递的每个请求进行评估。With custom rules, you can create your own rules, which are evaluated for each request that passes through WAF. 这些规则的优先级高于托管规则集中的其他规则。These rules hold a higher priority than the rest of the rules in the managed rule sets. 如果满足一组条件,则执行操作以进行允许或阻止。If a set of conditions is met, an action is taken to allow or block.

自定义规则的 geomatch 运算符现以公共预览版提供。The geomatch operator is now available in public preview for custom rules. 有关详细信息,请参阅 geomatch 自定义规则Please see geomatch custom rules for more information.

备注

自定义规则的 geomatch 运算符当前为公共预览版,并提供预览版服务级别协议。The geomatch operator for custom rules is currently in public preview and is provided with a preview service level agreement. 某些功能可能不受支持或者受限。Certain features may not be supported or may have constrained capabilities. 有关详细信息,请参阅 Azure 预览版补充使用条款See the Supplemental Terms of Use for Azure Previews for details.

有关自定义规则的详细信息,请参阅应用程序网关的自定义规则For more information on custom rules, see Custom Rules for Application Gateway.

机器人缓解(预览版)Bot Mitigation (preview)

可以为 WAF 启用托管机器人防护规则集,以便阻止或记录来自已知恶意 IP 地址的请求以及托管规则集。A managed Bot protection rule set can be enabled for your WAF to block or log requests from known malicious IP addresses, alongside the managed ruleset. IP 地址源自 Microsoft 威胁智能源。The IP addresses are sourced from the Microsoft Threat Intelligence feed. Intelligent Security Graph 为 Microsoft 威胁智能助力,它已得到 Azure Security Center 等多项服务的运用。Intelligent Security Graph powers Microsoft threat intelligence and is used by multiple services including Azure Security Center.

备注

机器人防护规则集当前以公共预览版提供,并随预览版服务级别协议一起提供。Bot protection rule set is currently in public preview and is provided with a preview service level agreement. 某些功能可能不受支持或者受限。Certain features may not be supported or may have constrained capabilities. 有关详细信息,请参阅 Azure 预览版补充使用条款See the Supplemental Terms of Use for Azure Previews for details.

如果启用了机器人防护,则与恶意机器人的客户端 IP 匹配的传入请求将记录在防火墙日志中。有关详细信息,请参阅下文。If Bot Protection is enabled, incoming requests that match Malicious Bot's client IPs are logged in the Firewall log, see more information below. 可以从存储帐户、事件中心或日志分析访问 WAF 日志。You may access WAF logs from storage account, event hub, or log analytics.

WAF 模式WAF modes

应用程序网关 WAF 可配置为在以下两种模式中运行:The Application Gateway WAF can be configured to run in the following two modes:

  • 检测模式:监视并记录所有威胁警报。Detection mode: Monitors and logs all threat alerts. 在“诊断”部分为应用程序网关启用日志记录诊断。 You turn on logging diagnostics for Application Gateway in the Diagnostics section. 另外,必须确保已选择并启用 WAF 日志。You must also make sure that the WAF log is selected and turned on. 在检测模式下运行时,Web 应用程序防火墙不会阻止传入的请求。Web application firewall doesn't block incoming requests when it's operating in Detection mode.
  • 防护模式:阻止规则检测到的入侵和攻击。Prevention mode: Blocks intrusions and attacks that the rules detect. 攻击者会收到“403 未授权访问”异常,且连接会结束。The attacker receives a "403 unauthorized access" exception, and the connection is closed. 阻止模式会在 WAF 日志中记录此类攻击。Prevention mode records such attacks in the WAF logs.

备注

建议在生产环境中的短时间内,在检测模式下运行新部署的 WAF。It is recommended that you run a newly deployed WAF in Detection mode for a short period of time in a production environment. 这样,在转换为阻止模式之前,便有机会获取防火墙日志并更新任何异常或自定义规则This provides the opportunity to obtain firewall logs and update any exceptions or custom rules prior to transition to Prevention mode. 这有助于减少意外阻止流量的发生次数。This can help reduce the occurrence of unexpected blocked traffic.

异常评分模式Anomaly Scoring mode

OWASP 使用两种模式来确定是否阻止流量:传统模式和异常评分模式。OWASP has two modes for deciding whether to block traffic: Traditional mode and Anomaly Scoring mode.

在传统模式下,将独立评估与任何规则匹配的流量,无论是否也匹配其他规则。In Traditional mode, traffic that matches any rule is considered independently of any other rule matches. 此模式很容易理解。This mode is easy to understand. 但是,它也存在一种限制:不知道有多少个规则与特定的请求相匹配。But the lack of information about how many rules match a specific request is a limitation. 因此,我们引入了异常评分模式。So, Anomaly Scoring mode was introduced. 这是 OWASP 3.x 中的默认模式。It's the default for OWASP 3.x.

在异常评分模式下,当防火墙处于防护模式时,不会立即阻止与任何规则匹配的流量。In Anomaly Scoring mode, traffic that matches any rule isn't immediately blocked when the firewall is in Prevention mode. 规则采用特定的严重性:“严重”、“错误”、“警告”或“通知”。 Rules have a certain severity: Critical, Error, Warning, or Notice. 该严重性会影响请求的数值(称为“异常评分”)。That severity affects a numeric value for the request, which is called the Anomaly Score. 例如,出现一个“警告”规则匹配项会生成评分值 3。 For example, one Warning rule match contributes 3 to the score. 一个“严重” 规则匹配对应的分数为 5。One Critical rule match contributes 5.

severitySeverity ValueValue
关键Critical 55
错误Error 44
警告Warning 33
通知Notice 22

异常分数的阈值为 5,用于阻止流量。There's a threshold of 5 for the Anomaly Score to block traffic. 因此,出现一个“严重”规则匹配项就足以让应用程序网关 WAF 阻止请求,即使 WAF 处于防护模式。 So, a single Critical rule match is enough for the Application Gateway WAF to block a request, even in Prevention mode. 但是,出现一个“警告”规则匹配项只会将异常评分增加 3,这并不足以阻止流量。 But one Warning rule match only increases the Anomaly Score by 3, which isn't enough by itself to block the traffic.

备注

当 WAF 规则与流量匹配时记录的消息包含操作值“Blocked”。The message that's logged when a WAF rule matches traffic includes the action value "Blocked." 但实际上只阻止了异常评分已达到或超过 5 的流量。But the traffic is actually only blocked for an Anomaly Score of 5 or higher.

WAF 监视WAF monitoring

监视应用程序网关的运行状况非常重要。Monitoring the health of your application gateway is important. 通过与 Azure 安全中心、Azure Monitor 和 Azure Monitor 日志相集成,可以监视 Web 应及其保护的应用程序的运行状况。Monitoring the health of your WAF and the applications that it protects are supported by integration with Azure Security Center, Azure Monitor, and Azure Monitor logs.

应用程序网关 WAF 诊断关系图

Azure MonitorAzure Monitor

应用程序网关日志与 Azure Monitor 集成。Application Gateway logs are integrated with Azure Monitor. 这样,便可以跟踪包括 WAF 警报和日志在内的诊断信息。This allows you to track diagnostic information, including WAF alerts and logs. 可以在门户上的应用程序网关资源中的“诊断”选项卡上访问此功能,或者直接通过 Azure Monitor 访问。 You can access this capability on the Diagnostics tab in the Application Gateway resource in the portal or directly through Azure Monitor. 有关如何启用日志的详细信息,请参阅应用程序网关诊断To learn more about enabling logs, see Application Gateway diagnostics.

日志记录Logging

应用程序网关 WAF 提供有关检测到的每个威胁的详细报告。Application Gateway WAF provides detailed reporting on each threat that it detects. 日志记录与 Azure 诊断日志相集成。Logging is integrated with Azure Diagnostics logs. 警报以 json 格式记录。Alerts are recorded in the .json format. 这些日志可与 Azure Monitor 日志集成。These logs can be integrated with Azure Monitor logs.

应用程序网关诊断日志窗口

{
  "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupId}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{appGatewayName}",
  "operationName": "ApplicationGatewayFirewall",
  "time": "2017-03-20T15:52:09.1494499Z",
  "category": "ApplicationGatewayFirewallLog",
  "properties": {
    {
      "instanceId": "ApplicationGatewayRole_IN_0",
      "clientIp": "52.161.109.145",
      "clientPort": "0",
      "requestUri": "/",
      "ruleSetType": "OWASP",
      "ruleSetVersion": "3.0",
      "ruleId": "920350",
      "ruleGroup": "920-PROTOCOL-ENFORCEMENT",
      "message": "Host header is a numeric IP address",
      "action": "Matched",
      "site": "Global",
      "details": {
        "message": "Warning. Pattern match \"^[\\\\d.:]+$\" at REQUEST_HEADERS:Host ....",
        "data": "127.0.0.1",
        "file": "rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
        "line": "791"
      },
      "hostname": "127.0.0.1",
      "transactionId": "16861477007022634343"
      "policyId": "/subscriptions/1496a758-b2ff-43ef-b738-8e9eb5161a86/resourceGroups/drewRG/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/globalWafPolicy",
      "policyScope": "Global",
      "policyScopeName": " Global "
    }
  }
} 

应用程序网关 WAF SKU 定价Application Gateway WAF SKU pricing

WAF_v1 和 WAF_v2 SKU 的定价模型不同。The pricing models are different for the WAF_v1 and WAF_v2 SKUs. 有关详细信息,请参阅应用程序网关定价页。Please see the Application Gateway pricing page to learn more.

后续步骤Next steps