排查 Azure 应用程序网关的 Web 应用程序防火墙 (WAF) 问题Troubleshoot Web Application Firewall (WAF) for Azure Application Gateway

如果本应通过 Web 应用程序防火墙 (WAF) 的请求被阻止,可以采取以下几种方法来解决。There are a few things you can do if requests that should pass through your Web Application Firewall (WAF) are blocked.

首先,请确保已阅读 WAF 概述WAF 配置文档。First, ensure you’ve read the WAF overview and the WAF configuration documents. 此外,确保已启用 WAF 监视。这些文章介绍了 WAF 函数、WAF 规则集的工作原理,以及 WAF 日志的访问方式。Also, make sure you’ve enabled WAF monitoring These articles explain how the WAF functions, how the WAF rule sets work, and how to access WAF logs.

OWASP 规则集设计为非常严格的开箱即用,并进行了调整以满足使用 WAF 的应用程序或组织的特定需求。The OWASP rulesets are designed to be very strict out of the box, and to be tuned to suit the specific needs of the application or organization using WAF. 在许多情况下,创建排除项、自定义规则,甚至禁用可能导致问题或假正的规则都是完全正常的,而且也是实际被期望的。It is entirely normal, and actually expected in many cases, to create exclusions, custom rules, and even disable rules that may be causing issues or false positives. 每个站点和每个 URI 策略都仅允许这些更改影响特定的站点/URI,因此,任何更改都不会影响可能不会遇到相同问题的其他站点。Per-site and per-URI policies allow for these changes to only affect specific sites/URIs, so any changes shouldn’t have to affect other sites that may not be running into the same issues.

了解 WAF 日志Understanding WAF logs

WAF 日志用于显示 WAF 匹配或阻止的每个请求。The purpose of WAF logs is to show every request that is matched or blocked by the WAF. 它是匹配或阻止的所有已评估请求的账本。It is a ledger of all evaluated requests that are matched or blocked. 如果你发现 WAF 阻止了原本不应该阻止的请求(误报),可以采取几种方法来解决问题。If you notice that the WAF blocks a request that it shouldn't (a false positive), you can do a few things. 首先缩小查找范围,找到特定的请求。First, narrow down, and find the specific request. 浏览日志,找到该请求的特定 URI、时间戳或事务 ID。Look through the logs to find the specific URI, timestamp, or transaction ID of the request. 找到关联的日志条目后,可以开始处理误报。When you find the associated log entries, you can begin to act on the false positives.

例如,假设某个合法流量(你希望该流量通过 WAF)包含字符串 1=1For example, say you have a legitimate traffic containing the string 1=1 that you want to pass through your WAF. 如果尝试请求,WAF 将阻止任何参数或字段中包含 1=1 字符串的流量。If you try the request, the WAF blocks traffic that contains your 1=1 string in any parameter or field. 此字符串通常与 SQL 注入攻击相关。This is a string often associated with a SQL injection attack. 可以浏览日志,查看请求的时间戳,以及阻止/匹配的规则。You can look through the logs and see the timestamp of the request and the rules that blocked/matched.

在以下示例中可以看到,处理同一请求期间触发了 4 个规则(使用 TransactionId 字段)。In the following example, you can see that four rules are triggered during the same request (using the TransactionId field). 第一个规则指出该请求是匹配的,因为用户对该请求使用了数字/IP URL,这将异常评分增加了 3 分(因为这是一条警告)。The first one says it matched because the user used a numeric/IP URL for the request, which increases the anomaly score by three since it's a warning. 匹配的下一个规则是 942130,即你要查找的规则。The next rule that matched is 942130, which is the one you’re looking for. 可以在 details.data 字段中看到 1=1You can see the 1=1 in the details.data field. 这进一步将异常评分增加了 3 分,因为这也是一条警告。This further increases the anomaly score by three again, as it's also a warning. 通常,具有“已匹配”操作的每个规则都会增加异常评分,此时,异常评分为 6。Generally, every rule that has the action Matched increases the anomaly score, and at this point the anomaly score would be six. 有关详细信息,请参阅异常评分模式For more information, see Anomaly scoring mode.

最后两个日志条目显示该请求被阻止,因为异常评分足够高。The final two log entries show the request was blocked because the anomaly score was high enough. 这些条目的操作不同于另外两个条目。These entries have a different action than the other two. 它们显示确实阻止了该请求。They show they actually blocked the request. 这些规则是必需的,不可禁用。These rules are mandatory and can’t be disabled. 不应将它们视为规则,而应更多地将其视为 WAF 内部组件的核心基础结构。They shouldn’t be thought of as rules, but more as core infrastructure of the WAF internals.

{ 
    "resourceId": "/SUBSCRIPTIONS/A6F44B25-259E-4AF5-888A-386FED92C11B/RESOURCEGROUPS/DEMOWAF_V2/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DEMOWAF-V2", 
    "operationName": "ApplicationGatewayFirewall", 
    "category": "ApplicationGatewayFirewallLog", 
    "properties": { 
        "instanceId": "appgw_3", 
        "clientIp": "167.220.2.139", 
        "clientPort": "", 
        "requestUri": "\/", 
        "ruleSetType": "OWASP_CRS", 
        "ruleSetVersion": "3.0.0", 
        "ruleId": "920350", 
        "message": "Host header is a numeric IP address", 
        "action": "Matched", 
        "site": "Global", 
        "details": { 
            "message": "Warning. Pattern match \\\"^[\\\\\\\\d.:]+$\\\" at REQUEST_HEADERS:Host. ", 
            "data": "40.90.218.160", 
            "file": "rules\/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\\\"", 
            "line": "791" 
        }, 
        "hostname": "vm000003", 
        "transactionId": "AcAcAcAcAKH@AcAcAcAcAyAt" 
    } 
} 
{ 
    "resourceId": "/SUBSCRIPTIONS/A6F44B25-259E-4AF5-888A-386FED92C11B/RESOURCEGROUPS/DEMOWAF_V2/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DEMOWAF-V2", 
    "operationName": "ApplicationGatewayFirewall", 
    "category": "ApplicationGatewayFirewallLog", 
    "properties": { 
        "instanceId": "appgw_3", 
        "clientIp": "167.220.2.139", 
        "clientPort": "", 
        "requestUri": "\/", 
        "ruleSetType": "OWASP_CRS", 
        "ruleSetVersion": "3.0.0", 
        "ruleId": "942130", 
        "message": "SQL Injection Attack: SQL Tautology Detected.", 
        "action": "Matched", 
        "site": "Global", 
        "details": { 
            "message": "Warning. Pattern match \\\"(?i:([\\\\\\\\s'\\\\\\\"`\\\\\\\\(\\\\\\\\)]*?)([\\\\\\\\d\\\\\\\\w]++)([\\\\\\\\s'\\\\\\\"`\\\\\\\\(\\\\\\\\)]*?)(?:(?:=|\\u003c=\\u003e|r?like|sounds\\\\\\\\s+like|regexp)([\\\\\\\\s'\\\\\\\"`\\\\\\\\(\\\\\\\\)]*?)\\\\\\\\2|(?:!=|\\u003c=|\\u003e=|\\u003c\\u003e|\\u003c|\\u003e|\\\\\\\\^|is\\\\\\\\s+not|not\\\\\\\\s+like|not\\\\\\\\s+regexp)([\\\\\\\\s'\\\\\\\"`\\\\\\\\(\\\\\\\\)]*?)(?!\\\\\\\\2)([\\\\\\\\d\\\\\\\\w]+)))\\\" at ARGS:text1. ", 
            "data": "Matched Data: 1=1 found within ARGS:text1: 1=1", 
            "file": "rules\/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\\\"", 
            "line": "554" 
        }, 
        "hostname": "vm000003", 
        "transactionId": "AcAcAcAcAKH@AcAcAcAcAyAt" 
    } 
} 
{ 
    "resourceId": "/SUBSCRIPTIONS/A6F44B25-259E-4AF5-888A-386FED92C11B/RESOURCEGROUPS/DEMOWAF_V2/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DEMOWAF-V2", 
    "operationName": "ApplicationGatewayFirewall", 
    "category": "ApplicationGatewayFirewallLog", 
    "properties": { 
        "instanceId": "appgw_3", 
        "clientIp": "167.220.2.139", 
        "clientPort": "", 
        "requestUri": "\/", 
        "ruleSetType": "", 
        "ruleSetVersion": "", 
        "ruleId": "0", 
        "message": "Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 8)", 
        "action": "Blocked", 
        "site": "Global", 
        "details": { 
            "message": "Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. ", 
            "data": "", 
            "file": "rules\/REQUEST-949-BLOCKING-EVALUATION.conf\\\"", 
            "line": "57" 
        }, 
        "hostname": "vm000003", 
        "transactionId": "AcAcAcAcAKH@AcAcAcAcAyAt" 
    } 
} 
{ 
    "resourceId": "/SUBSCRIPTIONS/A6F44B25-259E-4AF5-888A-386FED92C11B/RESOURCEGROUPS/DEMOWAF_V2/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DEMOWAF-V2", 
    "operationName": "ApplicationGatewayFirewall", 
    "category": "ApplicationGatewayFirewallLog", 
    "properties": { 
        "instanceId": "appgw_3", 
        "clientIp": "167.220.2.139", 
        "clientPort": "", 
        "requestUri": "\/", 
        "ruleSetType": "", 
        "ruleSetVersion": "", 
        "ruleId": "0", 
        "message": "Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack: SQL Tautology Detected.", 
        "action": "Blocked", 
        "site": "Global", 
        "details": { 
            "message": "Warning. Operator GE matched 5 at TX:inbound_anomaly_score. ", 
            "data": "", 
            "file": "rules\/RESPONSE-980-CORRELATION.conf\\\"", 
            "line": "73" 
        }, 
        "hostname": "vm000003", 
        "transactionId": "AcAcAcAcAKH@AcAcAcAcAyAt" 
    }
}

修正误报Fixing false positives

根据此信息,以及规则 942130 是匹配 1=1 字符串的这种认知,可以采取几项措施来避免此规则阻止流量:With this information, and the knowledge that rule 942130 is the one that matched the 1=1 string, you can do a few things to stop this from blocking your traffic:

  • 使用排除列表Use an Exclusion List

    有关排除列表的详细信息,请参阅 WAF 配置See WAF configuration for more information about exclusion lists.

  • 禁用规则。Disable the rule.

使用排除列表Using an exclusion list

若要明智地决定如何处理误报,必须熟悉应用程序所用的技术。To make an informed decision about handling a false positive, it’s important to familiarize yourself with the technologies your application uses. 例如,假设技术堆栈中没有 SQL 服务器,但你收到了与这些规则相关的误报。For example, say there isn't a SQL server in your technology stack, and you are getting false positives related to those rules. 禁用这些规则不一定会削弱安全性。Disabling those rules doesn't necessarily weaken your security.

使用排除列表的一个好处是可以仅禁用请求的特定部分。One benefit of using an exclusion list is that only a specific part of a request is being disabled. 但这意味着,特定的排除项将适用于通过 WAF 的所有流量,因为这是一项全局设置。However, this means that a specific exclusion is applicable to all traffic passing through your WAF because it is a global setting. 例如,如果对于特定的应用而言,1=1 是正文中的有效请求,但对于其他应用而言不是有效的请求,则可能会导致问题。For example, this could lead to an issue if 1=1 is a valid request in the body for a certain app, but not for others. 另一个好处是,如果满足特定的条件,则可以在正文、标头和 Cookie 之间选择要排除的部分,而不用排除整个请求。Another benefit is that you can choose between body, headers, and cookies to be excluded if a certain condition is met, as opposed to excluding the whole request.

特定的参数偶尔会以一种不直观的方式传入 WAF。Occasionally, there are cases where specific parameters get passed into the WAF in a manner that may not be intuitive. 例如,使用 Azure Active Directory 进行身份验证时会传递一个令牌。For example, there is a token that gets passed when authenticating using Azure Active Directory. 此令牌 __RequestVerificationToken 通常以请求 Cookie 的形式传入。This token, __RequestVerificationToken, usually get passed in as a Request Cookie. 但是,在某些情况下禁用 Cookie 时,此令牌还会以请求属性或“参数”的形式传递。However, in some cases where cookies are disabled, this token is also passed as a request attribute or "arg". 如果存在这种情况,需确保同时将 __RequestVerificationToken 作为请求属性名称添加到排除列表中。If this happens, you need to ensure that __RequestVerificationToken is added to the exclusion list as a Request attribute name as well.

排除项

在此示例中,你希望排除等于 text1请求属性名称In this example, you want to exclude the Request attribute name that equals text1. 在防火墙日志中可以一目了解地看到该属性名称:数据:匹配的数据:在 ARGS:text1:1=1 中找到 1=1This is apparent because you can see the attribute name in the firewall logs: data: Matched Data: 1=1 found within ARGS:text1: 1=1. 属性为 text1The attribute is text1. 还可以通过其他几种方法找到此属性名称,具体请参阅查找请求属性名称You can also find this attribute name a few other ways, see Finding request attribute names.

WAF 排除列表

禁用规则Disabling rules

避免误报的另一种方式是禁用被 WAF 认为是恶意的输入中匹配的规则。Another way to get around a false positive is to disable the rule that matched on the input the WAF thought was malicious. 由于你已分析 WAF 日志,并将规则查找范围缩小为 942130,因此可以在 Azure 门户中禁用它。Since you've parsed the WAF logs and have narrowed the rule down to 942130, you can disable it in the Azure portal. 请参阅通过 Azure 门户自定义 Web 应用程序防火墙规则See Customize web application firewall rules through the Azure portal.

禁用规则的一个好处是,如果你知道包含特定条件并且往往会被阻止的所有流量是有效的流量,则可以针对整个 WAF 禁用该规则。One benefit of disabling a rule is that if you know all traffic that contains a certain condition that will normally be blocked is valid traffic, you can disable that rule for the entire WAF. 但是,如果它只是特定用例中的有效流量,则针对整个 WAF 禁用该规则会开放一个漏洞,因为这是一项全局设置。However, if it’s only valid traffic in a specific use case, you open up a vulnerability by disabling that rule for the entire WAF since it is a global setting.

若要使用 Azure PowerShell,请参阅通过 PowerShell 自定义 Web 应用程序防火墙规则If you want to use Azure PowerShell, see Customize web application firewall rules through PowerShell. 若要使用 Azure CLI,请参阅通过 Azure CLI 自定义 Web 应用程序防火墙规则If you want to use Azure CLI, see Customize web application firewall rules through the Azure CLI.

WAF 规则

查找请求属性名称Finding request attribute names

可以借助 Fiddler 检查单个请求,并确定要调用网页的哪些特定字段。With the help of Fiddler, you inspect individual requests and determine what specific fields of a web page are called. 此工具可以帮助你使用排除列表从检查项中排除某些字段。This can help to exclude certain fields from inspection using Exclusion Lists.

在此示例中可以看到,输入了 1=1 字符串的字段名为 text1In this example, you can see that the field where the 1=1 string was entered is called text1.

Fiddler

这是一个可以排除的字段。This is a field you can exclude. 若要详细了解排除列表,请参阅 Web 应用程序防火墙请求大小限制和排除列表To learn more about exclusion lists, See Web application firewall request size limits and exclusion lists. 在本例中,可以通过配置以下排除项来排除评估:You can exclude the evaluation in this case by configuring the following exclusion:

WAF 排除

还可以检查防火墙日志来获取信息,以确定需要将哪些内容添加到排除列表。You can also examine the firewall logs to get the information to see what you need to add to the exclusion list. 若要启用日志记录,请参阅应用程序网关的后端运行状况、资源日志和指标To enable logging, see Back-end health, resource logs, and metrics for Application Gateway.

检查防火墙日志,并在 PT1H.json 文件中查看要检查的请求的发生时间(小时)。Examine the firewall log and view the PT1H.json file for the hour that the request you want to inspect occurred.

在此示例中可以看到,有 4 个具有相同 TransactionID 的规则,它们的发生时间完全相同:In this example, you can see that you have four rules with the same TransactionID, and that they all occurred at the exact same time:

-   {
-       "resourceId": "/SUBSCRIPTIONS/A6F44B25-259E-4AF5-888A-386FED92C11B/RESOURCEGROUPS/DEMOWAF_V2/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DEMOWAF-V2",
-       "operationName": "ApplicationGatewayFirewall",
-       "category": "ApplicationGatewayFirewallLog",
-       "properties": {
-           "instanceId": "appgw_3",
-           "clientIp": "167.220.2.139",
-           "clientPort": "",
-           "requestUri": "\/",
-           "ruleSetType": "OWASP_CRS",
-           "ruleSetVersion": "3.0.0",
-           "ruleId": "920350",
-           "message": "Host header is a numeric IP address",
-           "action": "Matched",
-           "site": "Global",
-           "details": {
-               "message": "Warning. Pattern match \\\"^[\\\\\\\\d.:]+$\\\" at REQUEST_HEADERS:Host. ",
-               "data": "40.90.218.160",
-               "file": "rules\/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\\\"",
-               "line": "791"
-           },
-           "hostname": "vm000003",
-           "transactionId": "AcAcAcAcAKH@AcAcAcAcAyAt"
-       }
-   }
-   {
-       "resourceId": "/SUBSCRIPTIONS/A6F44B25-259E-4AF5-888A-386FED92C11B/RESOURCEGROUPS/DEMOWAF_V2/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DEMOWAF-V2",
-       "operationName": "ApplicationGatewayFirewall",
-       "category": "ApplicationGatewayFirewallLog",
-       "properties": {
-           "instanceId": "appgw_3",
-           "clientIp": "167.220.2.139",
-           "clientPort": "",
-           "requestUri": "\/",
-           "ruleSetType": "OWASP_CRS",
-           "ruleSetVersion": "3.0.0",
-           "ruleId": "942130",
-           "message": "SQL Injection Attack: SQL Tautology Detected.",
-           "action": "Matched",
-           "site": "Global",
-           "details": {
-               "message": "Warning. Pattern match \\\"(?i:([\\\\\\\\s'\\\\\\\"`\\\\\\\\(\\\\\\\\)]*?)([\\\\\\\\d\\\\\\\\w]++)([\\\\\\\\s'\\\\\\\"`\\\\\\\\(\\\\\\\\)]*?)(?:(?:=|\\u003c=\\u003e|r?like|sounds\\\\\\\\s+like|regexp)([\\\\\\\\s'\\\\\\\"`\\\\\\\\(\\\\\\\\)]*?)\\\\\\\\2|(?:!=|\\u003c=|\\u003e=|\\u003c\\u003e|\\u003c|\\u003e|\\\\\\\\^|is\\\\\\\\s+not|not\\\\\\\\s+like|not\\\\\\\\s+regexp)([\\\\\\\\s'\\\\\\\"`\\\\\\\\(\\\\\\\\)]*?)(?!\\\\\\\\2)([\\\\\\\\d\\\\\\\\w]+)))\\\" at ARGS:text1. ",
-               "data": "Matched Data: 1=1 found within ARGS:text1: 1=1",
-               "file": "rules\/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\\\"",
-               "line": "554"
-           },
-           "hostname": "vm000003",
-           "transactionId": "AcAcAcAcAKH@AcAcAcAcAyAt"
-       }
-   }
-   {
-       "resourceId": "/SUBSCRIPTIONS/A6F44B25-259E-4AF5-888A-386FED92C11B/RESOURCEGROUPS/DEMOWAF_V2/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DEMOWAF-V2",
-       "operationName": "ApplicationGatewayFirewall",
-       "category": "ApplicationGatewayFirewallLog",
-       "properties": {
-           "instanceId": "appgw_3",
-           "clientIp": "167.220.2.139",
-           "clientPort": "",
-           "requestUri": "\/",
-           "ruleSetType": "",
-           "ruleSetVersion": "",
-           "ruleId": "0",
-           "message": "Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 8)",
-           "action": "Blocked",
-           "site": "Global",
-           "details": {
-               "message": "Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. ",
-               "data": "",
-               "file": "rules\/REQUEST-949-BLOCKING-EVALUATION.conf\\\"",
-               "line": "57"
-           },
-           "hostname": "vm000003",
-           "transactionId": "AcAcAcAcAKH@AcAcAcAcAyAt"
-       }
-   }
-   {
-       "resourceId": "/SUBSCRIPTIONS/A6F44B25-259E-4AF5-888A-386FED92C11B/RESOURCEGROUPS/DEMOWAF_V2/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DEMOWAF-V2",
-       "operationName": "ApplicationGatewayFirewall",
-       "category": "ApplicationGatewayFirewallLog",
-       "properties": {
-           "instanceId": "appgw_3",
-           "clientIp": "167.220.2.139",
-           "clientPort": "",
-           "requestUri": "\/",
-           "ruleSetType": "",
-           "ruleSetVersion": "",
-           "ruleId": "0",
-           "message": "Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack: SQL Tautology Detected.",
-           "action": "Blocked",
-           "site": "Global",
-           "details": {
-               "message": "Warning. Operator GE matched 5 at TX:inbound_anomaly_score. ",
-               "data": "",
-               "file": "rules\/RESPONSE-980-CORRELATION.conf\\\"",
-               "line": "73"
-           },
-           "hostname": "vm000003",
-           "transactionId": "AcAcAcAcAKH@AcAcAcAcAyAt"
-       }
-   }

了解 CRS 规则集的工作原理,并知道 CRS 规则集 3.0 使用异常评分系统(请参阅 Azure 应用程序网关的 Web 应用程序防火墙)之后,便知道了最下面的两个具有“操作:已阻止”属性的规则正在根据总异常评分阻止请求。With your knowledge of how the CRS rule sets work, and that the CRS ruleset 3.0 works with an anomaly scoring system (see Web Application Firewall for Azure Application Gateway) you know that the bottom two rules with the action: Blocked property are blocking based on the total anomaly score. 要关注的规则是最前面的两个规则。The rules to focus on are the top two.

记录第一个条目的原因是用户使用数字 IP 地址导航到了应用程序网关,在本例中可以忽略此条目。The first entry is logged because the user used a numeric IP address to navigate to the Application Gateway, which can be ignored in this case.

需要关注的是第二个条目(规则 942130)。The second one (rule 942130) is the interesting one. 在详细信息中可以看到,它匹配了某个模式 (1=1),而字段名为 text1You can see in the details that it matched a pattern (1=1), and the field is named text1. 遵循前面的相同步骤排除等于 1=1请求属性名称Follow the same previous steps to exclude the Request Attribute Name that equals 1=1.

查找请求标头名称Finding request header names

在 Fiddler 中还能够很方便地查找请求标头名称。Fiddler is a useful tool once again to find request header names. 在以下屏幕截图中,可以看到此 GET 请求的标头,其中包括 Content-TypeUser-Agent 等。In the following screenshot, you can see the headers for this GET request, which include Content-Type, User-Agent, and so on.

Fiddler

查看请求和响应标头的另一种方式是使用 Chrome 的开发人员工具。Another way to view request and response headers is to look inside the developer tools of Chrome. 可以按 F12,或右键单击并选择“检查” -> “开发人员工具”->“网络”选项卡。 加载一个网页,然后单击要检查的请求。You can press F12 or right-click -> Inspect -> Developer Tools, and select the Network tab. Load a web page, and click the request you want to inspect.

Chrome F12

如果请求包含 Cookie,可以选择“Cookie”选项卡以在 Fiddler 中查看 Cookie。If the request contains cookies, the Cookies tab can be selected to view them in Fiddler.

限制全局参数以消除误报Restrict global parameters to eliminate false positives

  • 禁用请求正文检查Disable request body inspection

    将“检查请求正文”设置为“关闭”时,WAF 不会评估所有流量的请求正文。By setting Inspect request body to off, the request bodies of all traffic will not be evaluated by your WAF. 如果你知道请求正文对你的应用程序而言不是恶意的,这此设置可能很有用。This may be useful if you know that the request bodies aren’t malicious to your application.

    如果禁用此选项,则只是不检查请求正文。By disabling this option, only the request body is not inspected. 除非使用排除列表功能排除了单个标头和 Cookie,否则仍会检查标头和 Cookie。The headers and cookies remain inspected, unless individual ones are excluded using the exclusion list functionality.

  • 文件大小限制File size limits

    限制 WAF 的文件大小可以限制 Web 服务器遭受攻击的可能性。By limiting the file size for your WAF, you’re limiting the possibility of an attack happening to your web servers. 如果允许上传大文件,后端瘫痪的风险就会增大。By allowing large files to be uploaded, the risk of your backend being overwhelmed increases. 根据应用程序的用例将文件大小限制为一般大小是防止攻击的另一种方式。Limiting the file size to a normal use case for your application is just another way to prevent attacks.

    备注

    如果你知道你的应用永远不需要上传超过给定大小的任何文件,可以通过设置一个限制来控制风险。If you know that your app will never need any file upload above a given size, you can restrict that by setting a limit.

防火墙指标(仅 WAF_v1)Firewall Metrics (WAF_v1 only)

对于 v1 Web 应用防火墙,门户中现在提供以下指标:For v1 Web Application Firewalls, the following metrics are now available in the portal:

  1. Web 应用程序防火墙阻止的请求计数 被阻止的请求数Web Application Firewall Blocked Request Count The number of requests that were blocked
  2. Web 应用程序防火墙阻止的规则计数 阻止请求匹配的所有规则Web Application Firewall Blocked Rule Count All rules that were matched and the request was blocked
  3. Web 应用程序防火墙规则分配总数 在评估过程中匹配的所有规则Web Application Firewall Total Rule Distribution All rules that were matched during evaluation

若要启用指标,请在门户中选择“指标”选项卡,然后选择三个指标之一。To enable metrics, select the Metrics tab in the portal, and select one of the three metrics.

后续步骤Next steps

参阅如何在应用程序网关上配置 Web 应用程序防火墙See How to configure web application firewall on Application Gateway.