Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Web Application Firewall for Application Gateways

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ApplicationGateway-004

Ensure that Web Application Firewall (WAF) security policies are enabled for your Microsoft Azure Application Gateways in order to protect your applications from common exploits and vulnerabilities, keep your service available, and help you meet compliance requirements.

Security

Azure Web Application Firewall (WAF) provides centralized protection of your web applications from common threats such as SQL injections, Cross Site Scripting (XSS), and local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other HTTP(S) parameters via custom rules using the firewall service.

To enable Web Application Firewall (WAF) integration with Azure Application Gateway, your Application Gateway must be on the Standard V2 or WAF V2 pricing tier.

Audit

To determine if Web Application Firewall (WAF) policies are enabled for your Azure Application Gateways, perform the following operations:

Using Azure Portal

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

  3. Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

  4. From the Type equals all filter box, select Type for Filter, Equals for Operator, and Application gateway for Value, then choose Apply to list the Azure Application Gateways available in the selected subscription.

  5. Click on the name (link) of the Azure Application Gateway that you want to examine.

  6. In the resource navigation panel, under Settings, select Web application firewall to examine the WAF security policy configured for the selected Application Gateway.

  7. In the Associated web application firewall policy section, check for any Web Application Firewall (WAF) policies configured for the selected Application Gateway. If there are no WAF security policies listed under Associated web application firewall policy, Azure Web Application Firewall is not enabled for the selected Application Gateway. If one or more WAF policies are returned, continue the Audit process with the next step.

  8. Click on the name (link) of the WAF security policy associated with your Application Gateway to access the WAF policy configuration.

  9. In the WAF navigation panel, choose Overview, and check the Policy state attribute value listed under Essentials to determine the operational status of the WAF policy associated with your Application Gateway. If the Policy state is set to Disabled, the WAF policy is not operational, therefore, Azure Web Application Firewall (WAF) is not enabled for the selected Microsoft Azure Application Gateway.

Using Azure CLI

  1. Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

    az account list
	--query '[*].id'

  2. The command output should return the requested subscription identifiers (IDs):

    [
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

  3. Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

    az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

  4. Run network application-gateway list command (Windows/macOS/Linux) with custom output filters to list the ID of each Azure Application Gateway available in the selected subscription:

    az network application-gateway list
	--query '[*].id'

  5. The command output should return the requested Application Gateway IDs:

    [
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/applicationGateways/cc-project5-application-gateway",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/applicationGateways/cc-prod-stack-application-gateway"
]

  6. Run network application-gateway show command (Windows/macOS/Linux) with the name of the Azure Application Gateway that you want to examine as the identifier parameter and custom output filters to describe the ID of the WAF security policy associated with the selected Application Gateway:

    az network application-gateway show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/applicationGateways/cc-project5-application-gateway"
	--query '{firewallPolicy:firewallPolicy.id}'

  7. The command output should return the requested WAF policy ID. If the network application-gateway show command output returns null for "firewallPolicy", there are no WAF policies associated with your resource, therefore, Azure Web Application Firewall is not enabled for the selected Application Gateway. If the ID of the WAF policy is returned, as shown in the example below, continue the Audit process with the next step:

    {
	"firewallPolicy": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/cc-app-gateway-waf-policy"
}

  8. Run network application-gateway waf-policy show command (Windows/macOS/Linux) to determine the operational status of the WAF policy associated with your Application Gateway. For --name, use the WAF policy name included in the resource ID returned in the previous step (i.e., "/subscriptions/\<subscription-id\>/resourceGroups/\<resource-group\>/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/\<waf-policy-name\>"):

    az network application-gateway waf-policy show
	--name cc-app-gateway-waf-policy
	--resource-group cloud-shell-storage-westeurope
	--query "{state:policySettings.state}"

  9. The command output should return the resource operational status:

    {
	"state": "Disabled"
}

    If the "state" is not set to "Enabled", the associated WAF security policy is not operational, therefore, Azure Web Application Firewall (WAF) is not enabled for the selected Microsoft Azure Application Gateway.

Remediation / Resolution

To enable Web Application Firewall (WAF) support for your Microsoft Azure Application Gateways, perform the following operations:

Using Azure Portal

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

  3. Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

  4. From the Type equals all filter box, select Type for Filter, Equals for Operator, and Application gateway for Value, then choose Apply to list the Azure Application Gateways available in the selected subscription.

  5. Click on the name (link) of the Azure Application Gateway that you want to configure.

  6. In the resource navigation panel, under Settings, select Web application firewall to access the WAF security policy configured for the selected Application Gateway.

  7. In the Associated web application firewall policy section, click on the name (link) of the WAF security policy associated with your Application Gateway to access the WAF policy configuration.

  8. In the WAF navigation panel, select Overview, and choose Enabled from the page top menu to enable the Web Application Firewall (WAF) policy associated with your Azure Application Gateway.

Using Azure CLI

  1. Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

    az account list
	--query '[*].id'

  2. The command output should return the requested subscription identifiers (IDs):

    [
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

  3. Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

    az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

  4. Run network application-gateway waf-policy update command (Windows/macOS/Linux) to enable the Web Application Firewall (WAF) policy associated with your Azure Application Gateway. This will protect your web application from common exploits and vulnerabilities, keep your service available, and help you meet compliance requirements:

    az network application-gateway waf-policy update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/cc-app-gateway-waf-policy"
	--policy-settings "{state:Enabled}"

  5. The command output should return the configuration information available for the associated WAF policy:

    {
	"customRules": [],
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/cc-app-gateway-waf-policy",
	"location": "westeurope",
	"managedRules": {
	"exclusions": [],
	"managedRuleSets": [
		{
			"ruleGroupOverrides": [],
			"ruleSetType": "OWASP",
			"ruleSetVersion": "3.2"
		}
	]
	},
	"name": "cc-app-gateway-waf-policy",
	"policySettings": {
		"fileUploadEnforcement": true,
		"fileUploadLimitInMb": 100,
		"maxRequestBodySizeInKb": 128,
		"mode": "Detection",
		"requestBodyCheck": true,
		"requestBodyEnforcement": true,
		"requestBodyInspectLimitInKB": 128,
		"state": "Enabled"
	},
	"provisioningState": "Updating",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"tags": {},
	"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies"
}

References

Publication date Nov 7, 2025

Related ApplicationGateway rules