Reputation: 170308
Azure Front Door somethimes does not apply the expected block-action
In Azure Front Door, I have a Front Door WAF policy with a custom (example) rule that blocks all IP addresses starting with 111.222.:
(where 10 is the lowest Priority, so first to be applied)
When querying the Front Door Logs with the following KQL:
AzureDiagnostics
| where clientIP_s startswith "111.222." or clientIp_s startswith "111.222."
| project clientIP_s, clientIp_s, ruleName_s, action_s, httpStatusCode_s
| take 10
I get the following resuls:
| clientIP_s | clientIp_s | ruleName_s | action_s | httpStatusCode_s |
|---|---|---|---|---|
| 111.222.3.4 | 429 | |||
| 111.222.5.6 | 429 | |||
| 111.222.7.8 | StackOverflowExample | Block | ||
| 111.222.9.0 | StackOverflowExample | Block | ||
| 111.222.9.0 | 429 |
In case an IP address is matched as a clientIp_s (lower case p), it is not picked up by the rule StackOverflowExample. Only when matched as a clientIP_s (upper case P) is it picked up by StackOverflowExample and correctly blocked. Note that there is another rate-limiting rule that matches the URL for the clientIp_s requests and returns a 429.
Some observations:
- there are IP addresses that only occur as a
clientIP_s(111.222.3.4 and 111.222.5.6) - there are IP addresses that only occur as a
clientIp_s(111.222.7.8) - there are IP addresses that occur as both a
clientIP_sandclientIp_s(111.222.9.0)
How come the clientIp_s are not matched by the rule StackOverflowExample?
Upvotes: 1
Views: 280
Answers (1)
Reputation: 7868
Azure Front Door sometimes does not apply the expected block-action
In Azure Front Door, there are similar fields for clientIP. You can check the details below.
clientIP_s: This is used in the FrontdoorAccessLog category and captures the IP address of the client making requests to Azure Front Door.
clientIp_s: This is used in the FrontdoorWebApplicationFirewallLog category. It captures the client's IP address specifically in logs generated by the WAF associated with Azure Front Door.
You can modify the custom rule to match both clientIP_s and clientIp_s for each in WAF policy rule using below PowerShell script.
$clientIP_s = New-AzFrontDoorWafMatchConditionObject -MatchVariable clientIP_s -OperatorProperty IPMatch -MatchValue "111.222."
$clientIp_s = New-AzFrontDoorWafMatchConditionObject -MatchVariable clientIp_s -OperatorProperty IPMatch -MatchValue "111.222."
$FrontdoorcustomRule = New-AzFrontDoorWafCustomRuleObject -Name "StackOverflowExample" -RuleType MatchRule -MatchCondition $clientIP_s,$clientIp_s -Action Block -Priority 1
Reference: Azure Front Door not applying the expected block-action by Pinaki Ghatak
Policy settings for Web Application Firewall in Azure Front Door
Upvotes: 1
Related Questions
- Block traffic in azure front door based on claims
- Azure Front door WAF policy Microsoft_DefaultRuleSet-2.0-BLOCKING-EVALUATION-949110 block request with Inbound Anomaly Score Exceeded message
- Block port 80 access in Azure Front door
- Azure Front Door WAF is blocking .AspNet.ApplicationCookie
- Azure Front Door WAF ip restrictions for static web apps
- Azure front door custom domain downtime
- Azure Front Door Configuration Changes
- Azure Front Door - Routing Redirect returns 405 Method Not Allowed, but only when going through the Front Door