我们在预防模式下使用Application Gateway WAF,它阻止了我们的某些Mobile App Client请求。我将WAF切换为“检测”模式,并将日志输出到Log Analytics。我可以看到有关正在发出的请求和已触发的WAF的一些信息,但看不到触发了哪个规则。
有没有办法查看触发了什么规则?不知道为什么会失败,很难缩小问题的根源!
答案 0 :(得分:1)
检查防火墙日志时,您应该会看到 ruleId 。
这里是一个例子:
{
"resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}",
"operationName": "ApplicationGatewayFirewall",
"time": "2017-03-20T15:52:09.1494499Z",
"category": "ApplicationGatewayFirewallLog",
"properties": {
"instanceId": "ApplicationGatewayRole_IN_0",
"clientIp": "104.210.252.3",
"clientPort": "4835",
"requestUri": "/?a=%3Cscript%3Ealert(%22Hello%22);%3C/script%3E",
"ruleSetType": "OWASP",
"ruleSetVersion": "3.0",
"ruleId": "941320",
"message": "Possible XSS Attack Detected - HTML Tag Handler",
"action": "Blocked",
"site": "Global",
"details": {
"message": "Warning. Pattern match \"<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ...\" at ARGS:a.",
"data": "Matched Data: <script> found within ARGS:a: <script>alert(\\x22hello\\x22);</script>",
"file": "rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf",
"line": "865"
}
}
}
在此之前,您必须确保为每个应用程序网关启用防火墙日志。此日志还要求在应用程序网关上配置Web应用程序防火墙。您可以获得here的更多详细信息。
建议阅读这两篇文章:
Troubleshoot Web Application Firewall (WAF) for Azure Application Gateway