您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 前门服务上的 Azure Web 应用程序防火墙常见问题解答Frequently asked questions for Azure Web Application Firewall on Azure Front Door Service

本文解答了有关 Azure Web 应用程序防火墙的常见问题 (WAF) Azure 前门服务特性和功能。This article answers common questions about Azure Web Application Firewall (WAF) on Azure Front Door Service features and functionality.

什么是 Azure WAF?What is Azure WAF?

Azure WAF 是一个 Web 应用程序防火墙,可帮助保护 Web 应用程序免受常见威胁,例如 SQL 注入、跨站点脚本和其他 Web 攻击。Azure WAF is a web application firewall that helps protect your web applications from common threats such as SQL injection, cross-site scripting, and other web exploits. 可以定义包含自定义和托管规则组合的 WAF 策略,以控制对 Web 应用程序的访问。You can define a WAF policy consisting of a combination of custom and managed rules to control access to your web applications.

可以将 Azure WAF 策略应用于托管在应用程序网关或 Azure Front Door 上的 Web 应用程序。An Azure WAF policy can be applied to web applications hosted on Application Gateway or Azure Front Doors.

什么是 Azure 前门上的 WAF?What is WAF on Azure Front Door?

Azure 前门是高度可缩放的全球分布式应用程序和内容交付网络。Azure Front Door is a highly scalable, globally distributed application and content delivery network. Azure WAF 与前门集成后,可在 Azure 网络边缘停止拒绝服务和目标应用程序攻击,在进入虚拟网络之前,接近攻击源,提供保护,而不影响性能。Azure WAF, when integrated with Front Door, stops denial-of-service and targeted application attacks at the Azure network edge, close to attack sources before they enter your virtual network, offers protection without sacrificing performance.

Azure WAF 是否支持 HTTPS?Does Azure WAF support HTTPS?

前门提供 TLS 卸载。Front Door offers TLS offloading. WAF 本机与前门集成,并可以在请求解密后检查请求。WAF is natively integrated with Front Door and can inspect a request after it's decrypted.

Azure WAF 是否支持 IPv6?Does Azure WAF support IPv6?

是。Yes. 可为 IPv4 和 IPv6 配置 IP 限制。You can configure IP restriction for IPv4 and IPv6.

托管规则集的最新版本是什么?How up-to-date are the managed rule sets?

我们尽最大努力维持不断变化的威胁。We do our best to keep up with changing threat landscape. 更新新规则后,将使用新的版本号将其添加到默认规则集。Once a new rule is updated, it's added to the Default Rule Set with a new version number.

如果更改 WAF 策略,会发生什么传播时间?What is the propagation time if I make a change to my WAF policy?

全局部署 WAF 策略通常花费大约5分钟的时间,并且通常会更快完成。Deploying a WAF policy globally usually takes about 5 minutes and often completes sooner.

不同区域的 WAF 策略是否可以不同?Can WAF policies be different for different regions?

与前门集成后,WAF 是全局资源。When integrated with Front Door, WAF is a global resource. 同一配置适用于所有前门位置。Same configuration applies across all Front Door locations.

如何实现仅限前门访问我的后端:How do I limit access to my back-end to be from Front Door only?

你可以在后端配置 IP 访问控制列表,使其仅允许前门出站 IP 地址范围,并拒绝来自 Internet 的任何直接访问。You may configure IP Access Control List in your back-end to allow for only Front Door outbound IP address ranges and deny any direct access from Internet. 支持在虚拟网络上使用服务标记。Service tags are supported for you to use on your virtual network. 此外,还可以验证 "X 转发的主机 HTTP 标头" 字段对你的 web 应用程序是否有效。Additionally, you can verify that the X-Forwarded-Host HTTP header field is valid for your web application.

我应该选择哪些 Azure WAF 选项?Which Azure WAF options should I choose?

在 Azure 中应用 WAF 策略时,有两个选项可供选择。There are two options when applying WAF policies in Azure. 使用 Azure 前门的 WAF 是一种全球分布的边缘安全解决方案。WAF with Azure Front Door is a globally distributed, edge security solution. 使用应用程序网关的 WAF 是一个区域专用解决方案。WAF with Application Gateway is a regional, dedicated solution. 建议选择一个基于整体性能和安全要求的解决方案。We recommend you choose a solution based on your overall performance and security requirements. 有关详细信息,请参阅 通过 Azure 的应用程序交付套件进行负载平衡For more information, see Load-balancing with Azure’s application delivery suite.

在现有应用程序上启用 WAF 时,通常会有误报检测,其中 WAF 规则会将合法流量检测为威胁。When you enable the WAF on an existing application, it's common to have false positive detections where the WAF rules detect legitimate traffic as a threat. 若要最大程度地降低对用户的影响,我们建议执行以下过程:To minimize the risk of an impact to your users, we recommend the following process:

  • 启用 WAF 检测 模式 ,以确保在执行此过程时,WAF 不会阻止请求。Enable the WAF in Detection mode to ensure that the WAF doesn't block requests while you are working through this process.

    重要

    此过程介绍如何在新的或现有的解决方案中启用 WAF,以便将干扰最小化到应用程序的用户。This process describes how to enable the WAF on a new or existing solution when your priority is to minimize the disturbance to your application's users. 如果受到攻击或发生了威胁,你可能想要立即在 防护 模式下部署 WAF,并使用优化过程监视和优化 WAF 一段时间。If you are under attack or imminent threat, you may want to instead deploy the WAF in Prevention mode immediately, and use the tuning process to monitor and tune the WAF over time. 这可能会导致某些合法流量被阻止,这就是我们仅在威胁时才建议这样做的原因。This will probably cause some of your legitimate traffic to be blocked, which is why we only recommend doing this when you are under threat.

  • 遵循我们 的指导来优化 WAFFollow our guidance for tuning the WAF. 此过程要求您启用诊断日志记录、定期检查日志,并添加规则排除和其他缓解措施。This process requires that you enable diagnostic logging, review the logs regularly, and add rule exclusions and other mitigations.
  • 重复此过程,定期检查日志,直到你认为没有合法流量被阻止。Repeat this whole process, checking the logs regularly, until you're satisfied that no legitimate traffic is being blocked. 整个过程可能需要几周的时间。The whole process may take several weeks. 理想情况下,每次进行优化更改后,会看到误报检测值越少。Ideally you should see fewer false positive detections after each tuning change you make.
  • 最后,在 防护模式下 启用 WAF。Finally, enable the WAF in Prevention mode.
  • 即使是在生产环境中运行 WAF,也应继续监视日志以识别任何其他误报检测。Even once you're running the WAF in production, you should keep monitoring the logs to identify any other false-positive detections. 定期查看日志还将帮助你确定已阻止的任何实际攻击尝试。Regularly reviewing the logs will also help you to identify any real attack attempts that have been blocked.

是否支持所有集成平台中的相同 WAF 功能?Do you support same WAF features in all integrated platforms?

目前,应用程序网关上的 WAF 只支持 ModSec CRS 2.2.9、CRS 3.0 和 CRS 3.1 规则。Currently, ModSec CRS 2.2.9, CRS 3.0, and CRS 3.1 rules are only supported with WAF on Application Gateway. 只有 Azure 前门上的 WAF 支持速率限制、异地筛选和 Azure 托管默认规则集规则。Rate-limiting, geo-filtering, and Azure managed Default Rule Set rules are supported only with WAF on Azure Front Door.

是否与前门集成了 DDoS 防护?Is DDoS protection integrated with Front Door?

在 Azure 网络边缘全球分布,Azure 前门可以吸收并在地理上隔离大容量攻击。Globally distributed at Azure network edges, Azure Front Door can absorb and geographically isolate large volume attacks. 你可以创建自定义 WAF 策略,以自动阻止和速率限制具有已知签名) 攻击的 http (。You can create custom WAF policy to automatically block and rate limit http(s) attacks that have known signatures. 此外,还可以在部署后端的 VNet 中启用 DDoS 保护标准。Further more, you can enable DDoS Protection Standard on the VNet where your back-ends are deployed. Azure DDoS 保护标准客户可获得更多好处,包括成本保护、SLA 保证,以及从 DDoS 快速响应团队访问专家,以在攻击期间立即获得帮助。Azure DDoS Protection Standard customers receive additional benefits including cost protection, SLA guarantee, and access to experts from DDoS Rapid Response Team for immediate help during an attack. 有关详细信息,请参阅 前门上的 DDoS 防护For more information, see DDoS protection on Front Door.

为什么将超出阈值的其他请求传递到我的后端服务器?Why do additional requests above the threshold configured for my rate limit rule get passed to my backend server?

速率限制规则可以限制来自任何客户端 IP 地址的异常高流量。A rate limit rule can limit abnormally high traffic from any client IP address. 可以在一分钟或五分钟的持续时间内,配置从客户端 IP 地址允许的 web 请求数的阈值。You may configure a threshold on the number of web requests allowed from a client IP address during a one-minute or five-minute duration. 对于粒度速率控制,可以将速率限制与其他匹配条件(如 HTTP (S) 参数匹配)组合在一起。For granular rate control, rate limiting can be combined with additional match conditions such as HTTP(S) parameter matching.

来自同一客户端的请求通常会到达同一前门服务器。Requests from the same client often arrive at the same Front Door server. 在这种情况下,会看到超出阈值的其他请求会立即被阻止。In that case, you'll see additional requests above the threshold get blocked immediately.

但是,来自同一客户端的请求可能会到达尚未刷新速率限制计数器的另一个前端服务器。However, it's possible that requests from the same client may arrive at a different Front Door server that has not refreshed the rate limit counter yet. 例如,客户端可能会为每个请求打开一个新连接,并且阈值较低。For example, the client may open a new connection for each request and the threshold is low. 在这种情况下,对新前门服务器的第一个请求将通过速率限制检查。In this case, the first request to the new Front Door server would pass the rate limit check. 速率限制阈值通常设置为 "高" 以防止来自任何客户端 IP 地址的拒绝服务攻击。A rate limit threshold is usually set high to defend against denial of service attacks from any client IP address. 对于极低的阈值,可能会看到超出阈值的其他请求通过。For a very low threshold, you may see additional requests above the threshold get through.

后续步骤Next steps