Best Practices for Upgrading Azure WAF Ruleset

Best Practices for Upgrading Azure WAF Ruleset

This blog is written in collaboration with @davidfrazee.



In today’s digital landscape, web applications are the lifeblood of businesses. They enable seamless communication, transactions, and interactions with customers. However, this increased reliance on web apps also makes them prime targets for cyberattacks. To safeguard your applications and protect sensitive data, implementing a robust Web Application Firewall (WAF) is essential. 


What is a Web Application Firewall (WAF)? 

A WAF acts as a protective barrier between your web applications and potential threats. It analyses incoming HTTP/S traffic, detects malicious requests, and blocks them before they reach your application servers. By doing so, it prevents common vulnerabilities and attacks without requiring modifications to your application code. 


Azure Web Application Firewall (Azure WAF): 

Azure WAF, integrated with Azure Application Gateway or Azure Front Door, provides a powerful solution for securing your web apps. Let’s explore why you should consider using Azure WAF: 


  1. Protection Against Common Exploits and Vulnerabilities
    • Azure WAF actively safeguards your applications against well-known attack vectors like SQL injection and cross-site scripting. 
    • It leverages the Core Rule Set (CRS) from the Open Web Application Security Project (OWASP) to stay ahead of emerging threats, it also uses MSTIC (Microsoft Threat Intelligence Collection) rules that are written in partnership with the Microsoft Intelligence team to provide increased coverage, patches for specific vulnerabilities, and better false positive reduction.  
  2. Easy Configuration and Central Management
    • Create custom WAF policies tailored to different sites behind the same Application Gateway/Front Door instance. 
    • Manage and configure settings centrally using WAF policies. 
  3. Monitoring and Real-Time Alerts
    • Monitor attacks with real-time WAF logs integrated into Azure Monitor. 
    • Easily track WAF alerts and analyse trends. 
  4. IP Reputation Ruleset
    • Protect your applications from malicious bots utilizing the Azure WAF Bot Manager Ruleset 
    • Defend against Distributed Denial of Service (DDoS) attacks.


Upgrading WAF Rulesets 

Keeping your WAF rulesets up to date is critical for several reasons: 


  • Expanded Coverage
    • New rulesets include additional protections for emerging vulnerabilities. 
    • Stay ahead of attackers by having the latest defenses in place. 
  • Reduced False Positives
    • Updated rulesets improve accuracy, minimizing false positives. 
    • Ensure legitimate traffic isn’t blocked unnecessarily.
  • Staying Ahead of Threats
    • Regular updates ensure your WAF defends against the latest attack vectors. 
    • Cyber threats evolve rapidly, and your defenses must keep pace.


Best Practices for Upgrading Azure WAF Ruleset  

Consider a situation where you are currently using Core Rule Set (CRS) version 3.2 for your Azure Web Application Firewall (WAF). You have made several customizations to the WAF configuration, including disabling specific rule IDs, adjusting rule actions from Anomaly score/Log to Block, and applying exclusions. 


Now, if you decide to upgrade to Default Rule Set (DRS) version 2.1, it’s important to be aware that all your previous customizations to the managed rulesets will be reset if you upgrade through the portal directly. However, rest assured that any Custom Rules, Global Exclusions and Policy settings you’ve defined will remain unaffected during this transition. 

To make sure that you do not lose any custom configurations for your Managed rulesets, follow these best practices using Template-based approach: 


 1. Document Your Current WAF Configuration: 

  • Export the template capturing existing WAF settings, including disabled rules and exclusions. Save this template as CRS_3.2 

 2. Prepare a New Template: 

  • Clone the old Template and rename it to DRS_2.1 for the upgraded version. 

 3. Test in a Non-Production Environment: 

  • Switch to the new ruleset using Portal Assign method in a non-production environment. 
  • Temporarily disable Custom rules used in Tuning 
  • Verify if exclusions are still necessary by sending traffic through this non prod WAF setup. 

 4. Reassign Exclusions and Customizations: 


     Apply exclusions and customizations using the below template modification method. 


  • Modify the following parameters in the template saved as DRS_2.1 as shown below:

i.  Ruleset Type 

ii. Ruleset Version 

iii. Rule Group Name (Rule Group and Id information can be found here  


  • Deploy this template in your environment and this will upgrade the policy from CRS_3.2 to DRS_2.1 with all the Rule Overrides and Exclusions intact. 


ShabazShaik_0-1708958242145.png ShabazShaik_1-1708958242147.png


ShabazShaik_2-1708958242148.png ShabazShaik_3-1708958242150.png



 5. Run Tests: 

  • Send traffic and validate that exclusions and customizations still apply as expected. 




  1. If the exclusions are set to the Global level, those exclusions will not be affected after the upgrade. So, no changes are needed for Global exclusions. 
  2. In any case, you want to revert to the old ruleset, you can simply redeploy the initially saved template CRS_3.2 and all the changes should be reverted to previous state. 
  3. While following Template Based Upgrade process above, it is important to note that the Rule Id must be present in the new ruleset for which there has been a custom modification done in the existing ruleset. This needs to be checked before the upgrade using the information here. 



In summary, Azure WAF provides robust protection, easy management, and real-time monitoring for your web applications. Upgrade your rulesets regularly to stay secure in an ever-evolving threat landscape. Remember, a proactive defense is the key to keeping your applications safe and your users confident. 


Published on:

Learn more
Azure Network Security Blog articles
Azure Network Security Blog articles

Azure Network Security Blog articles

Share post:

Related posts

Skyrocket Your Efficiency: Dive into Azure Cloud-Native solutions

This blog invites you to explore the power of cloud-native solutions, which can transform the way businesses operate and innovate. As part of ...

2 hours ago

[Mitigated] Azure Lab Services - Maintenance update outage

Hi, We are experiencing a service outage due to ongoing maintenance since around July 21st, 4 pm PDT. The service is currently not available i...

1 day ago

Azure Lab Services - Maintenance update outage

Hi, We are experiencing a service outage due to ongoing maintenance since around July 21st, 4 pm PDT. The service is currently not available i...

1 day ago

Dataverse: Create Custom Integration To Azure Cosmos DB for PostgreSQL

In a world where integration is common to do. Especially, because clouds is a common term, for sure, there are requests to integrate Dataverse...

2 days ago

Recovery options for Azure Virtual Machines (VM) affected by CrowdStrike Falcon agent

We are aware of an issue that started on 19 July 2024 at 04:09UTC, which resulted in customers experiencing unresponsiveness and startup failu...

2 days ago

Use cases of Advanced Network Observability for your Azure Kubernetes Service clusters

Introduction  Advanced Network Observability is the inaugural feature of the Advanced Container Networking Services (ACNS) suite bringing...

3 days ago

Azure Update Manager to support CIS hardened images among other images

What’s coming in by end of July 2024: Azure Update Manager will add support for 35 CIS hardened images. This is the first time that Update Man...

3 days ago

Mastering your cloud journey: Essentials to Innovating, Migrating and Modernizing, on Azure

We are living during a time of rapid growth in AI technologies and seeing cloud complexity increase as a result of those advanced workloads, w...

4 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy