Navigating Sitecore Security: Unveiling Azure Firewall Challenges

In the realm of enterprise applications, the firewall stands as a pivotal guardian against potential threats. This blog delves into a specific scenario where Sitecore support facilitated the implementation of Web Application Firewall (WAF) on Microsoft Azure for a Sitecore Managed Website. With WAF in place, access to the App Service was restricted solely to the Firewall’s IP, resulting in a 403 Forbidden error. The intricacies of pinpointing the exact rule causing this restriction within Azure Firewall are explored.

Simple Web Architecture:

Note: This diagram is created only to explain the basic scenario for this blog post.

The blog details a step-by-step process for identifying and addressing WAF rule blocks:

1: Accessing WAF Logs:

Navigate through the Application Gateway to access logs, running a following query in Azure Diagnostics to isolate rule-specific data.

WAF2 - Azure Application Gateway Policy
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| summarize count() by ruleId_s, bin(TimeGenerated, 1m)
| render timechart

2. Identifying Rule Numbers:

Hover over rules in the log to identify the rule numbers causing the issue, along with their occurrence frequency.

Azure Firewall Rule Metric.

3. Disabling Rules in WAF Policy:

Move to the WAF Policy, locate Managed Rules, and selectively disable rules that might be blocking requests.

Application Gateway WAF policy

WAF Policy - Managed Rules

The firewall is designed to block certain requests as part of its intended function. The simplest approach is to deactivate the rule, but doing so leaves you susceptible to potential attacks that the disabled rule would otherwise prevent. The more intricate method involves addressing the application to ensure that requests no longer meet the rule conditions. It falls under your responsibility to handle these rules and determine whether their activation or deactivation is appropriate.

A heartfelt thank you to the Sitecore support team for their unwavering support. Happy securing!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.