什麼是 Azure 應用程式閘道上的 Web 應用程式防火牆?What is Azure Web Application Firewall on Azure Application Gateway?

Azure 應用程式閘道上的 Azure Web 應用程式防火牆 (WAF) 可為 Web 應用程式提供集中式保護,使其免於遭遇常見的攻擊和弱點。Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web 應用程式已逐漸成為利用常見已知弱點進行惡意攻擊的目標。Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. 在這之中,SQL 插入式和跨網站指令碼攻擊是最常見的攻擊。SQL injection and cross-site scripting are among the most common attacks.

應用程式閘道上的 WAF 會以 Open Web Application Security Project (OWASP) 的核心規則集 (CRS) 3.1、3.0 或 2.2.9 為基礎。WAF on Application Gateway is based on Core Rule Set (CRS) 3.1, 3.0, or 2.2.9 from the Open Web Application Security Project (OWASP). WAF 會自動更新以加入對新弱點的保護,而不需要額外的設定。The WAF automatically updates to include protection against new vulnerabilities, with no additional configuration needed.

下面列出的所有 WAF 功能都會存在 WAF 原則中。All of the WAF features listed below exist inside of a WAF Policy. 您可以對個別接聽程式,或應用程式閘道上的路徑型路由規則,建立多個原則,並可將這些原則與應用程式閘道建立關聯。You can create multiple policies, and they can be associated with an Application Gateway, to individual listeners, or to path-based routing rules on an Application Gateway. 如此一來,您就可以為應用程式閘道背後的每個網站提供個別原則 (如果有需要的話)。This way, you can have separate policies for each site behind your Application Gateway if needed. 如需有關 WAF 原則的詳細資訊,請參閱建立 WAF 原則For more information on WAF Policies, see Create a WAF Policy.

應用程式閘道 WAF 圖表

應用程式閘道會以應用程式傳遞控制站 (ADC) 的形式運作。Application Gateway operates as an application delivery controller (ADC). 其提供前稱為安全通訊端層 (SSL) 的傳輸層安全性 (TLS)、終止、Cookie 型工作階段同質、循環配置資源負載分配、內容型路由,以及裝載多個網站和安全性增強功能的能力。It offers Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), termination, cookie-based session affinity, round-robin load distribution, content-based routing, ability to host multiple websites, and security enhancements.

應用程式閘道的安全性增強功能包括 TLS 原則管理和端對端 TLS 支援。Application Gateway security enhancements include TLS policy management and end-to-end TLS support. WAF 與應用程式閘道的整合加強了應用程式安全性。Application security is strengthened by WAF integration into Application Gateway. 這種組合可讓 Web 應用程式免於遭受常見的弱點威脅。The combination protects your web applications against common vulnerabilities. 並且提供容易設定的中央位置來進行管理。And it provides an easy-to-configure central location to manage.

優點Benefits

本節說明 WAF 在應用程式閘道上所提供的核心優勢。This section describes the core benefits that WAF on Application Gateway provides.

保護Protection

  • 不需修改後端程式碼就能保護 Web 應用程式不受 Web 弱點和攻擊的威脅。Protect your web applications from web vulnerabilities and attacks without modification to back-end code.

  • 同時保護多個 Web 應用程式。Protect multiple web applications at the same time. 應用程式閘道的執行個體最多可以裝載 40 個由 Web 應用程式防火牆所保護的網站。An instance of Application Gateway can host up to 40 websites that are protected by a web application firewall.

  • 針對相同 WAF 後方的不同網站建立自訂 WAF 原則Create custom WAF policies for different sites behind the same WAF

  • 使用 IP 信譽規則集 (預覽) 防止 Web 應用程式遭受惡意 Bot 的威脅Protect your web applications from malicious bots with the IP Reputation ruleset (preview)

監視Monitoring

  • 使用即時 WAF 記錄來監視以 Web 應用程式為目標的攻擊。Monitor attacks against your web applications by using a real-time WAF log. 此記錄已經與 Azure 監視器整合,可追蹤 WAF 警示並輕鬆地監視趨勢。The log is integrated with Azure Monitor to track WAF alerts and easily monitor trends.

  • 應用程式閘道 WAF 已經與 Azure 資訊安全中心整合。The Application Gateway WAF is integrated with Azure Security Center. 資訊安全中心可提供所有 Azure 資源安全性狀態的集中檢閱。Security Center provides a central view of the security state of all your Azure resources.

自訂Customization

  • 自訂 WAF 規則和規則群組,以符合您的應用程式需求並消除誤判。Customize WAF rules and rule groups to suit your application requirements and eliminate false positives.

  • 為 WAF 後面的每個網站建立相關聯的 WAF 原則,以允許專屬於網站的設定Associate a WAF Policy for each site behind your WAF to allow for site-specific configuration

  • 建立自訂規則以符合您應用程式的需求Create custom rules to suit the needs of your application

特性Features

  • SQL 插入式保護。SQL-injection protection.
  • 跨網站指令碼保護。Cross-site scripting protection.
  • 抵禦其他常見 Web 攻擊,例如命令插入、HTTP 要求走私、HTTP 回應分割和遠端檔案包含攻擊。Protection against other common web attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion.
  • 防範 HTTP 通訊協定違規。Protection against HTTP protocol violations.
  • 防範 HTTP 通訊協定異常 (例如遺漏主機使用者代理程式和接受標頭)。Protection against HTTP protocol anomalies, such as missing host user-agent and accept headers.
  • 防範編目程式和掃描器。Protection against crawlers and scanners.
  • 偵測一般應用程式錯誤組態 (例如 Apache 和 IIS)。Detection of common application misconfigurations (for example, Apache and IIS).
  • 可設定要求大小限制,包含上限與下限。Configurable request size limits with lower and upper bounds.
  • 排除清單可讓您略過 WAF 評估的特定要求屬性。Exclusion lists let you omit certain request attributes from a WAF evaluation. 常見範例是用於驗證或密碼欄位的 Active Directory 插入式權杖。A common example is Active Directory-inserted tokens that are used for authentication or password fields.
  • 建立自訂規則以符合您應用程式的特定需求。Create custom rules to suit the specific needs of your applications.
  • 進行流量的地理篩選,以允許或阻止特定國家/區域取得應用程式的存取權。Geo-filter traffic to allow or block certain countries/regions from gaining access to your applications. (預覽)(preview)
  • 使用 Bot 風險降低規則集,保護您的應用程式不受 Bot 影響。Protect your applications from bots with the bot mitigation ruleset. (預覽)(preview)
  • 檢查要求本文中的 JSON 和 XMLInspect JSON and XML in the request body

WAF 原則和規則WAF policy and rules

若要在應用程式閘道上啟用 Web 應用程式防火牆,您必須建立 WAF 原則。To enable a Web Application Firewall on Application Gateway, you must create a WAF policy. 此原則中包含所有受控規則、自訂規則、排除項目及其他自訂項目 (例如檔案上傳限制)。This policy is where all of the managed rules, custom rules, exclusions, and other customizations such as file upload limit exist.

您可以設定 WAF 原則,並將其與一或多個應用程式閘道建立關聯以進行保護。You can configure a WAF policy and associate that policy to one or more application gateways for protection. WAF 原則包含兩種類型的安全性規則:A WAF policy consists of two types of security rules:

  • 您建立的自訂規則Custom rules that you create

  • 受控規則集,一組由 Azure 管理且預先設定的規則集合Managed rule sets that are a collection of Azure-managed pre-configured set of rules

當兩者都存在時,會先處理自訂規則,然後再處理受控規則集內的規則。When both are present, custom rules are processed before processing the rules in a managed rule set. 規則是由比對條件、優先順序和動作所組成。A rule is made of a match condition, a priority, and an action. 支援的動作類型為:ALLOW、BLOCK 和 LOG。Action types supported are: ALLOW, BLOCK, and LOG. 您可以結合受控和自訂規則,建立符合特定應用程式保護需求的完全自訂原則。You can create a fully customized policy that meets your specific application protection requirements by combining managed and custom rules.

原則中的規則會依照優先順序來處理。Rules within a policy are processed in a priority order. 優先順序是唯一整數,可定義規則的處理順序。Priority is a unique integer that defines the order of rules to process. 較小的整數值表示較高的優先順序,並且這些規則會在整數值較高的規則之前進行評估。Smaller integer value denotes a higher priority and those rules are evaluated before rules with a higher integer value. 一旦符合規則,規則中所定義的對應動作就會套用至要求。Once a rule is matched, the corresponding action that was defined in the rule is applied to the request. 完成此對比處理之後,優先順序較低的規則就不會再進行處理。Once such a match is processed, rules with lower priorities aren't processed further.

應用程式閘道所傳遞的 Web 應用程式可以在全域層級、在每個網站層級,或在每個 URI 層級建立相關聯的 WAF 原則。A web application delivered by Application Gateway can have a WAF policy associated to it at the global level, at a per-site level, or at a per-URI level.

核心規則集Core rule sets

應用程式閘道支援三個規則集:CRS 3.1、CRS 3.0 和 CRS 2.2.9。Application Gateway supports three rule sets: CRS 3.1, CRS 3.0, and CRS 2.2.9. 這些規則可防止您 Web 應用程式遭受惡意活動的攻擊。These rules protect your web applications from malicious activity.

如需詳細資訊,請參閱 Web 應用程式防火牆 CRS 規則群組與規則For more information, see Web application firewall CRS rule groups and rules.

自訂規則Custom rules

應用程式閘道也支援自訂規則。Application Gateway also supports custom rules. 您可以透過自訂規則來建立自己的規則,當每個要求通過 WAF 時,這些規則就會受到評估。With custom rules, you can create your own rules, which are evaluated for each request that passes through WAF. 這些規則的優先順序會高於受控規則集中的其餘規則。These rules hold a higher priority than the rest of the rules in the managed rule sets. 如果有一組條件符合,即會採取動作來允許或封鎖要求。If a set of conditions is met, an action is taken to allow or block.

在自訂規則中,現在已可使用 Geomatch 運算子的公開預覽版。The geomatch operator is now available in public preview for custom rules. 如需詳細資訊,請參閱 Geomatch 自訂規則Please see geomatch custom rules for more information.

注意

適用於自訂規則的 Geomatch 運算子目前處於公開預覽狀態,並且提供預覽服務等級的協定。The geomatch operator for custom rules is currently in public preview and is provided with a preview service level agreement. 可能不支援特定功能,或可能已經限制功能。Certain features may not be supported or may have constrained capabilities. 如需詳細資訊,請參閱 Microsoft Azure 預覽專用的補充使用條款See the Supplemental Terms of Use for Microsoft Azure Previews for details.

如需有關自訂規則詳細資訊,請參閱應用程式閘道的自訂規則。For more information on custom rules, see Custom Rules for Application Gateway.

Bot 風險降低 (預覽)Bot Mitigation (preview)

您可以為 WAF 啟用受控的 Bot 保護規則集,並搭配受控規則集來封鎖或記錄已知惡意 IP 位址所發出的要求。A managed Bot protection rule set can be enabled for your WAF to block or log requests from known malicious IP addresses, alongside the managed ruleset. 這些 IP 位址皆來自 Microsoft 威脅情報摘要。The IP addresses are sourced from the Microsoft Threat Intelligence feed. 包括 Azure 資訊安全中心在內的多項服務皆使用 Intelligent Security Graph,其同時也支援 Microsoft 威脅情報的運作。Intelligent Security Graph powers Microsoft threat intelligence and is used by multiple services including Azure Security Center.

注意

Bot 保護規則集目前處於公開預覽狀態,並且提供預覽服務等級的協定。Bot protection rule set is currently in public preview and is provided with a preview service level agreement. 可能不支援特定功能,或可能已經限制功能。Certain features may not be supported or may have constrained capabilities. 如需詳細資訊,請參閱 Microsoft Azure 預覽專用的補充使用條款See the Supplemental Terms of Use for Microsoft Azure Previews for details.

如果啟用 Bot 保護,符合惡意 Bot 用戶端 IP 的傳入要求會記錄在防火牆記錄中,請參閱下方的詳細資訊。If Bot Protection is enabled, incoming requests that match Malicious Bot's client IPs are logged in the Firewall log, see more information below. 您可以從儲存體帳戶、事件中樞或記錄分析中存取 WAF 記錄。You may access WAF logs from storage account, event hub, or log analytics.

WAF 模式WAF modes

應用程式閘道 WAF 可以設定為在下列兩種模式中執行︰The Application Gateway WAF can be configured to run in the following two modes:

  • 偵測模式:監視並記錄所有威脅警示。Detection mode: Monitors and logs all threat alerts. 您應在 [診斷] 區段中開啟應用程式閘道的記錄診斷。You turn on logging diagnostics for Application Gateway in the Diagnostics section. 您也必須確保已選取並開啟 WAF 記錄。You must also make sure that the WAF log is selected and turned on. 在偵測模式中執行的 Web 應用程式防火牆不會封鎖傳入要求。Web application firewall doesn't block incoming requests when it's operating in Detection mode.
  • 預防模式:封鎖規則偵測到的入侵和攻擊。Prevention mode: Blocks intrusions and attacks that the rules detect. 攻擊者會收到「403 未經授權存取」例外狀況,且連線會關閉。The attacker receives a "403 unauthorized access" exception, and the connection is closed. 預防模式會將這類攻擊記錄在 WAF 記錄中。Prevention mode records such attacks in the WAF logs.

注意

在實際執行環境中時,建議您以偵測模式短期執行新部署的 WAF。It is recommended that you run a newly deployed WAF in Detection mode for a short period of time in a production environment. 這讓您有機會先取得防火牆記錄,並更新任何例外狀況或自訂規則之後,再轉換到預防模式。This provides the opportunity to obtain firewall logs and update any exceptions or custom rules prior to transition to Prevention mode. 這有助於減少非預期的流量封鎖發生。This can help reduce the occurrence of unexpected blocked traffic.

異常評分模式Anomaly Scoring mode

OWASP 有兩種可用來決定是否要封鎖流量的模式:傳統模式和異常評分模式。OWASP has two modes for deciding whether to block traffic: Traditional mode and Anomaly Scoring mode.

在傳統模式中,我們都認為符合任何規則的流量都獨立於任何其他規則相符項目。In Traditional mode, traffic that matches any rule is considered independently of any other rule matches. 此模式易於了解。This mode is easy to understand. 但是,不了解有多少規則符合特定要求就是一項限制。But the lack of information about how many rules match a specific request is a limitation. 因此,我們引進異常評分模式。So, Anomaly Scoring mode was introduced. 這是 OWASP 3.x 的預設值。It's the default for OWASP 3.x.

在異常評分模式中,處於預防模式中的防火牆不會立即封鎖符合任何規則的流量。In Anomaly Scoring mode, traffic that matches any rule isn't immediately blocked when the firewall is in Prevention mode. 規則會有特定嚴重性:「重大」、「錯誤」、「警告」或「通知」。Rules have a certain severity: Critical, Error, Warning, or Notice. 該嚴重性會影響要求的數值,此值稱為異常分數。That severity affects a numeric value for the request, which is called the Anomaly Score. 例如,符合一個「警告」規則的分數為 3 分。For example, one Warning rule match contributes 3 to the score. 符合一個「重大」規則的分數為 5 分。One Critical rule match contributes 5.

SeveritySeverity Value
重大Critical 55
錯誤Error 44
警告Warning 33
注意事項Notice 22

用於封鎖流量的異常分數閾值為 5 分。There's a threshold of 5 for the Anomaly Score to block traffic. 因此,符合一個「重大」規則就足以讓應用程式閘道 WAF 封鎖要求,即使在預防模式下也一樣。So, a single Critical rule match is enough for the Application Gateway WAF to block a request, even in Prevention mode. 但是符合「警告」規則只會將異常分數提高 3 分,其本身並不足以封鎖流量。But one Warning rule match only increases the Anomaly Score by 3, which isn't enough by itself to block the traffic.

注意

WAF 規則符合流量時所記錄的訊息會包含「已封鎖」動作值。The message that's logged when a WAF rule matches traffic includes the action value "Blocked." 但是實際上只會封鎖異常分數為 5 分或更高的流量。But the traffic is actually only blocked for an Anomaly Score of 5 or higher. 如需詳細資訊,請參閱針對 Azure 應用程式閘道的 Web 應用程式防火牆 (WAF) 進行疑難排解For more information, see Troubleshoot Web Application Firewall (WAF) for Azure Application Gateway.

WAF 監視WAF monitoring

監視您應用程式閘道的健康狀態非常重要。Monitoring the health of your application gateway is important. Azure 監視器、Azure 資訊安全中心和 Azure 監視器記錄的整合可協助您監視 WAF 及其保護的應用程式是否狀態良好。Monitoring the health of your WAF and the applications that it protects are supported by integration with Azure Security Center, Azure Monitor, and Azure Monitor logs.

應用程式閘道 WAF 診斷的圖表

Azure 監視器Azure Monitor

應用程式閘道記錄會與 Azure 監視器整合。Application Gateway logs are integrated with Azure Monitor. 這可讓您追蹤包括 WAF 警示和記錄的診斷資訊。This allows you to track diagnostic information, including WAF alerts and logs. 您可以移至入口網站中的應用程式閘道資源,從 [診斷] 索引標籤中存取此功能,或直接透過 Azure 監視器存取。You can access this capability on the Diagnostics tab in the Application Gateway resource in the portal or directly through Azure Monitor. 若要深入了解如何啟用記錄,請參閱應用程式閘道診斷To learn more about enabling logs, see Application Gateway diagnostics.

Azure 資訊安全中心Azure Security Center

資訊安全中心可協助您保護、偵測威脅並採取相應的措施。Security Center helps you prevent, detect, and respond to threats. 此服務可讓您完整檢視並控制 Azure 資源的安全性。It provides increased visibility into and control over the security of your Azure resources. 應用程式閘道已經與資訊安全中心整合Application Gateway is integrated with Security Center. 資訊安全中心會掃描您的環境,以偵測未受保護的 Web 應用程式。Security Center scans your environment to detect unprotected web applications. 並建議應用程式閘道 WAF 保護這些易受攻擊的資源。It can recommend Application Gateway WAF to protect these vulnerable resources. 您可以直接從資訊安全中心建立防火牆。You create the firewalls directly from Security Center. 這些 WAF 執行個體會與資訊安全中心整合。These WAF instances are integrated with Security Center. 然後將警示和健康情況資訊傳送至資訊安全中心以進行報告。They send alerts and health information to Security Center for reporting.

資訊安全中心概觀視窗

Azure SentinelAzure Sentinel

Microsoft Azure Sentinel 是可調整的雲端原生安全性資訊事件管理 (SIEM) 和安全性協調流程自動化回應 (SOAR) 解決方案。Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel 提供整個企業的智慧型安全性分析和威脅情報,並針對警示偵測、威脅可見性、主動式搜捕及回應威脅提供單一解決方案。Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

透過內建 Azure WAF 防火牆事件活頁簿,您可以在 WAF 上取得安全性事件的概觀。With the built-in Azure WAF firewall events workbook, you can get an overview of the security events on your WAF. 這包括事件、相符和封鎖的規則,以及其他記錄在防火牆記錄中的一切。This includes events, matched and blocked rules, and everything else that gets logged in the firewall logs. 如需詳細資訊,請參閱下面的記錄。See more on logging below.

Azure WAF 防火牆事件活頁簿

適用於 WAF 的 Azure 監視器活頁簿Azure Monitor Workbook for WAF

此活頁簿可讓您跨數個可篩選的面板,對安全性相關的 WAF 事件進行視覺效果自訂。This workbook enables custom visualization of security-relevant WAF events across several filterable panels. 其適用於所有 WAF 類型,包括應用程式閘道、Front Door 和 CDN,而且可以根據 WAF 類型或特定 WAF 執行個體進行篩選。It works with all WAF types, including Application Gateway, Front Door, and CDN, and can be filtered based on WAF type or a specific WAF instance. 透過 ARM 範本或資源庫範本匯入。Import via ARM Template or Gallery Template. 若要部署此活頁簿,請參閱 WAF 活頁簿To deploy this workbook, see WAF Workbook.

記錄Logging

應用程式閘道 WAF 會針對其偵測到的每個威脅提供詳細報告。Application Gateway WAF provides detailed reporting on each threat that it detects. 記錄會與 Azure 診斷記錄整合。Logging is integrated with Azure Diagnostics logs. 警示會以 .json 格式記錄。Alerts are recorded in the .json format. 這些記錄可以與 Azure 監視器記錄整合。These logs can be integrated with Azure Monitor logs.

應用程式閘道診斷記錄視窗

{
  "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupId}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{appGatewayName}",
  "operationName": "ApplicationGatewayFirewall",
  "time": "2017-03-20T15:52:09.1494499Z",
  "category": "ApplicationGatewayFirewallLog",
  "properties": {
    {
      "instanceId": "ApplicationGatewayRole_IN_0",
      "clientIp": "52.161.109.145",
      "clientPort": "0",
      "requestUri": "/",
      "ruleSetType": "OWASP",
      "ruleSetVersion": "3.0",
      "ruleId": "920350",
      "ruleGroup": "920-PROTOCOL-ENFORCEMENT",
      "message": "Host header is a numeric IP address",
      "action": "Matched",
      "site": "Global",
      "details": {
        "message": "Warning. Pattern match \"^[\\\\d.:]+$\" at REQUEST_HEADERS:Host ....",
        "data": "127.0.0.1",
        "file": "rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
        "line": "791"
      },
      "hostname": "127.0.0.1",
      "transactionId": "16861477007022634343"
      "policyId": "/subscriptions/1496a758-b2ff-43ef-b738-8e9eb5161a86/resourceGroups/drewRG/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/globalWafPolicy",
      "policyScope": "Global",
      "policyScopeName": " Global "
    }
  }
} 

應用程式閘道 WAF SKU 價格Application Gateway WAF SKU pricing

WAF_v1 和 WAF_v2 SKU 的定價模式不同。The pricing models are different for the WAF_v1 and WAF_v2 SKUs. 若要深入了解,請參閱應用程式閘道定價頁面。Please see the Application Gateway pricing page to learn more.

最新消息What's new

若要了解 Azure Web 應用程式防火牆的新功能,請參閱 Azure 更新To learn what's new with Azure Web Application Firewall, see Azure updates.

後續步驟Next steps