|   Trend Micro Cloud One™
Open menu

Enable Web Application Firewall Monitoring

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Risk level: Medium (should be achieved)
Rule ID: SecurityCenter-008

Ensure that Web Application Firewall (WAF) monitoring is enabled within your Microsoft Azure cloud account so that Azure Security Center can determine if your virtual machines (Windows and Linux) are associated with application firewalls for controlling traffic in and out of VMs.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Azure Security Center strongly recommends that you provision an application firewall to help protect against attacks targeting web applications running on your virtual machines. When "Monitor Web Application Firewall" feature is enabled, the service recommends provisioning a web application firewall on your virtual machines when either of the following is true:

Instance-level public IP (ILPIP) is used and the inbound security rules for the associated network security group are configured to allow access to port 80 (HTTP) and/or 443 (HTTPS).

Load-balanced IP is used and the associated load balancing and inbound network address translation (NAT) rules are configured to allow access to port 80 (HTTP) and/or 443 (HTTPS).

Audit

To determine if Web Application Firewall (WAF) monitoring is enabled in the Azure Security Center, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access the Policy Management portal.

04 On the Policy Management page, click on the Azure subscription that you want to examine, to access the selected subscription settings.

05 On the Security Policy page, in the Network category, check The NSGs rules for web applications on IaaS should be hardened configuration setting status. If the setting status is Disabled, the Web Application Firewall (WAF) monitoring is not enabled for the Microsoft Azure virtual machines (VMs) provisioned in the selected subscription.

06 Repeat step no. 4 and 5 for each Microsoft Azure subscription available within your account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to get the "Monitor Web Application Firewall" feature status for the current Azure account subscription:

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01' | jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters.webApplicationFirewallMonitoringEffect.value'

02 The command output should return the web application firewall monitoring configuration status:

"Disabled"

If the command output returns "Disabled", as shown in the example above, the Web Application Firewall (WAF) monitoring feature is not enabled for the Microsoft Azure virtual machines (Windows and Linux) available in the selected subscription.

03 Repeat step no. 1 and 2 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable Web Application Firewall (WAF) monitoring for your Microsoft Azure virtual machines (VMs), perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access the Policy Management portal.

04 On the Policy Management page, click on the name of the Azure subscription that you want to access.

05 On the Security Policy page, click on the ASC Default (subscription: <azure-subscription-id>) link to edit the policy assignment.

06 On the selected policy assignment page, in the PARAMETERS section, select AuditIfNotExists from The NSGs rules for web applications on IaaS should be hardened dropdown list to enable web application firewall monitoring for all the Microsoft Azure virtual machines (VMs) provisioned in the selected Azure subscription.

07 Click Save to apply the changes. If successful, the following message should be displayed: "Updating policy assignment succeeded". Once the configuration changes are saved, the Security Center Web Application Firewall (WAF) monitoring feature becomes active for the selected Azure subscription.

08 If required, repeat steps no. 4 – 7 for other Microsoft Azure cloud subscription available.

Using Azure Console

01 Define the necessary parameters for the account get-access-token command where the webApplicationFirewallMonitoringEffect configuration parameter is enabled. Save the following content to a JSON file named "enable-web-application-firewall.json" and replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure account details:

{
   "properties":{
      "displayName":"ASC Default (subscription: <azure-subscription-id>)",
      "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>",
      "scope":"/subscriptions/<azure-subscription-id>",
      "parameters":{
         "webApplicationFirewallMonitoringEffect":{
            "value":"AuditIfNotExists"
         }
      }
   },
   "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

02 Run account get-access-token command (Windows/macOS/Linux) using the parameters defined at the previous step (i.e. "enable-web-application-firewall.json" file) to enable the Web Application Firewall (WAF) monitoring for the selected Microsoft Azure cloud subscription:

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01 -d@"enable-web-application-firewall.json"'

03 If successful, the command output should return the updated Azure Security Center policy:

{
   "sku":{
      "name":"A0",
      "tier":"Free"
   },
   "properties":{
      "displayName":"ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)",
      "scope":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd",

      ...

      "description":"This is the default set of policies monitored by Azure Security Center. It was automatically assigned as part of on-boarding to Security Center. The default assignment contains only audit policies. For more information please visit https://aka.ms/ascpolicies",
   },
   "id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

04 If required, repeat steps no. 1 – 3 for other subscription available within your Microsoft Azure account.

References

Publication date May 31, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Enable Web Application Firewall Monitoring

Risk level: Medium