使用 Azure CLI 自定义 Web 应用程序防火墙规则Customize Web Application Firewall rules using the Azure CLI

Azure 应用程序网关 Web 应用程序防火墙 (WAF) 可为 Web 应用程序提供保护。The Azure Application Gateway Web Application Firewall (WAF) provides protection for web applications. 这些保护通过打开 Web 应用程序安全性项目 (OWASP) 核心规则集 (CRS) 来提供。These protections are provided by the Open Web Application Security Project (OWASP) Core Rule Set (CRS). 某些规则可能会导致误报,并会阻止实际流量。Some rules can cause false positives and block real traffic. 出于此原因,应用程序网关提供了自定义规则组和规则的功能。For this reason, Application Gateway provides the capability to customize rule groups and rules. 有关特定规则组和规则的详细信息,请参阅 Web 应用程序防火墙 CRS 规则组和规则列表For more information on the specific rule groups and rules, see List of Web Application Firewall CRS rule groups and rules.

查看规则组和规则View rule groups and rules

以下代码示例演示了如何查看可配置的规则和规则组。The following code examples show how to view rules and rule groups that are configurable.

查看规则组View rule groups

以下示例演示了如何查看规则组:The following example shows how to view the rule groups:

az network application-gateway waf-config list-rule-sets --type OWASP

以下输出截取自前一示例的响应:The following output is a truncated response from the preceding example:

[
  {
    "id": "/subscriptions//resourceGroups//providers/Microsoft.Network/applicationGatewayAvailableWafRuleSets/",
    "location": null,
    "name": "OWASP_3.0",
    "provisioningState": "Succeeded",
    "resourceGroup": "",
    "ruleGroups": [
      {
        "description": "",
        "ruleGroupName": "REQUEST-910-IP-REPUTATION",
        "rules": null
      },
      ...
    ],
    "ruleSetType": "OWASP",
    "ruleSetVersion": "3.0",
    "tags": null,
    "type": "Microsoft.Network/applicationGatewayAvailableWafRuleSets"
  },
  {
    "id": "/subscriptions//resourceGroups//providers/Microsoft.Network/applicationGatewayAvailableWafRuleSets/",
    "location": null,
    "name": "OWASP_2.2.9",
    "provisioningState": "Succeeded",
    "resourceGroup": "",
   "ruleGroups": [
      {
        "description": "",
        "ruleGroupName": "crs_20_protocol_violations",
        "rules": null
      },
      ...
    ],
    "ruleSetType": "OWASP",
    "ruleSetVersion": "2.2.9",
    "tags": null,
    "type": "Microsoft.Network/applicationGatewayAvailableWafRuleSets"
  }
]

查看规则组中的规则View rules in a rule group

以下示例演示如何查看指定的规则组中的规则:The following example shows how to view rules in a specified rule group:

az network application-gateway waf-config list-rule-sets --group "REQUEST-910-IP-REPUTATION"

以下输出截取自前一示例的响应:The following output is a truncated response from the preceding example:

[
  {
    "id": "/subscriptions//resourceGroups//providers/Microsoft.Network/applicationGatewayAvailableWafRuleSets/",
    "location": null,
    "name": "OWASP_3.0",
    "provisioningState": "Succeeded",
    "resourceGroup": "",
    "ruleGroups": [
      {
        "description": "",
        "ruleGroupName": "REQUEST-910-IP-REPUTATION",
        "rules": [
          {
            "description": "Rule 910011",
            "ruleId": 910011
          },
          ...
        ]
      }
    ],
    "ruleSetType": "OWASP",
    "ruleSetVersion": "3.0",
    "tags": null,
    "type": "Microsoft.Network/applicationGatewayAvailableWafRuleSets"
  }
]

禁用规则Disable rules

以下示例在应用程序网关上禁用了规则 910018910017The following example disables rules 910018 and 910017 on an application gateway:

az network application-gateway waf-config set --resource-group AdatumAppGatewayRG --gateway-name AdatumAppGateway --enabled true --rule-set-version 3.0 --disabled-rules 910018 910017

强制性规则Mandatory rules

以下列表包含导致 WAF 在防护模式下阻止请求的条件(在检测模式下,它们作为异常记录)。The following list contains conditions that cause the WAF to block the request while in Prevention Mode (in Detection Mode they are logged as exceptions). 无法配置或禁用这些规则:These can't be configured or disabled:

  • 除非关闭正文检查(XML、JSON、表单数据),否则无法分析请求正文会导致请求被阻止Failure to parse the request body results in the request being blocked, unless body inspection is turned off (XML, JSON, form data)
  • 请求正文(不带文件)数据长度大于配置的限制Request body (with no files) data length is larger than the configured limit
  • 请求正文(包括文件)大于限制Request body (including files) is larger than the limit
  • WAF 引擎发生内部错误An internal error happened in the WAF engine

CRS 3.x 特定:CRS 3.x specific:

  • 入站异常分数超出阈值Inbound anomaly score exceeded threshold

后续步骤Next steps

配置你禁用的规则后,可以了解如何查看 WAF 日志。After you configure your disabled rules, you can learn how to view your WAF logs. 有关详细信息,请参阅应用程序网关诊断For more information, see Application Gateway diagnostics.