I am battling to find out if Azure WAF works on any or all TCP ports. So if my app is listening on port 9027, will it get WAF protection?
I am battling to find out if Azure WAF works on any or all TCP ports. So if my app is listening on port 9027, will it get WAF protection?
Hello @AmienMahri-4899 ,
Azure Web Application Firewall (WAF) on Azure Front Door provides centralized inbound protection of your web applications from common exploits and vulnerabilities. Basically, WAF enabled web applications inspect every incoming request delivered by Front Door at the network edge and acts as per the configured mode:
Detection mode: When run in detection mode, WAF doesn't take any other actions other than monitors and logs the request and its matched WAF rule to WAF logs.
Prevention mode: In prevention mode, WAF takes the specified action if a request matches a rule. If a match is found, no further rules with lower priority are evaluated. Any matched requests are also logged in the WAF logs.
Refer : https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview
So it is all about the incoming requests to your app and is not related to the port it is listening on.
May I know what is it that you are looking for exactly?
Thanks,
Gita
In most, if not all, cases, WAF does NOT work across every single port i.e 0-65535. So question is if i have a bespoke app listening on a non-standard port, will the WAF protection kick in or will it just pass it through. Stupid example is what if i am using SSH, will Frontdoor do a WAF inspection.
Also, see link below talking about the fact that only port 80 and 443 is supported.
Hello @AmienMahri-4899 ,
WAF helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.
WAF will not provide inbound protection for non-HTTP/S protocols such as SSH.
In case you need such protection, I would recommend you to check Azure Firewall. Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.
Thanks,
Gita
Hello @AmienMahri-4899 ,
Azure Web Application Firewall (WAF) on Azure Front Door provides centralized inbound protection of your web applications from common exploits and vulnerabilities. Basically, WAF enabled web applications inspect every incoming request delivered by Front Door at the network edge and acts as per the configured mode:
Detection mode: When run in detection mode, WAF doesn't take any other actions other than monitors and logs the request and its matched WAF rule to WAF logs.
Prevention mode: In prevention mode, WAF takes the specified action if a request matches a rule. If a match is found, no further rules with lower priority are evaluated. Any matched requests are also logged in the WAF logs.
Refer : https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview
As long as the application is being accessed on HTTP (port 80) or HTTPS (port 443), WAF will protect these requests. If the request comes on any other port or protocol, it will be dropped by WAF at the edge. Only port 80 and 443 traffic can be passed from the FrontDoor to the backend. The backend can be any publicly accessible web application.
WAF will not provide inbound protection for non-HTTP/S protocols such as SSH. In case you need such protection, I would recommend you to check Azure Firewall. Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
4 people are following this question.