Azure WAF/Application Gateway
Updated: Jul 7, 2019
Waiting Around Forever
Alright "Waiting Around Forever" isn't the only name I have for it, but it's definitely the Politically correct one!
I would give you a breakdown of the Difference or benefits of WAF-V1 vs WAF-v2
But there just isn't any point. IF YOUR REGION SUPPORTS WAF V2, DO NOT WASTE YOUR TIME WITH V1
Essentially when MS rebuilt/reworked the backend of Azure and changed the scripting langauge, WAF was too much work!
Rather than trying update the existing WAF and existing setups, they just put a clever (and it is clever) conversation process in place.
Now this is most likely the problem you've encountered whenever an oldish Azure product is used. The conversation is SLOW AF!
And you really feel it with WAF v1, I'm not saying WAF v2 is "mega fast" don't get your hopes up. BUT WAF V1 is MEGA SLOW!
Regardless top tips for WAF:-
Listen! - Well Listeners
- When creating these any PFX will need passwords
- If you get errors there's a good chance corruption is in play
(I found importing certs on Multi-Site listeners often led to a corrupt in the certificate when it was created, often it's better to build multiple listeners for multiple sites)
- If you are creating Listener on the Cert a customer is giving you - Import the cert Locally on your machine
(But don't import it as "Current user, use local machine, I've had issues building it different ways)
IT and Engineering share a lot of the same rules one of my favourite rule being a classic phrase i remember fondly from "Scrap heap Challenge"
KEEP IT SIMPLE STUPID
Often it's much faster, to spend the extra time/effort building lots of basic setups.
Apposed to trying to over complicate things within configurations/setups, which then end up throwing errors, which you then could spend hours or days trawling through to debug/understand where the issue lies.
So don't go crazy, trying to be clever adding complicated rules and additional rules not needed.
Just send HTTPS to backend and repoint HTTP to HTTPS... IT's SIMPLE AND EFFECTIVE
Custom rules are your friend on this one, in the security conscious world we live in getting these right is important.
OBVIOUSLY PEN TEST! But i am not a pen tester and neither do I want to be.
What I what i would say is use "TLSv1_2" set it to custom, then run a SSL test on the WAF public host. I tend to use ssllabs https://www.ssllabs.com/
Once run it'll give you an indication of the weak ciphers you currently have enabled, go through and edit/remove the Ciphers you don't need/which are showing as weak