Network-25543: Azure Front Door WAF is Enabled in Protection Mode #839
Conversation
praneeth-0000
added
enhancement
There was a problem hiding this comment.
Pull request overview
This pull request introduces a new security assessment test for Azure Front Door Web Application Firewall (WAF) configurations. The test verifies that WAF policies are enabled in Prevention mode rather than Detection mode to actively block malicious traffic.
Changes:
- Added Test-Assessment.25543.ps1 script to check Azure Front Door WAF policies across all subscriptions
- Added Test-Assessment.25543.md documentation explaining the security implications of WAF modes
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/powershell/tests/Test-Assessment.25543.ps1 | Implements the assessment logic to query all Azure subscriptions for Front Door WAF policies and validate they are enabled in Prevention mode |
| src/powershell/tests/Test-Assessment.25543.md | Provides documentation on Azure Front Door WAF modes, security implications, and remediation guidance |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
alexandair
left a comment
alexandair
left a comment
There was a problem hiding this comment.
Potential False Fail on Permissions (Access Denied):
Issue: The test iterates through subscriptions. If a subscription returns 403 (Access Denied), it continues. If all subscriptions deny access (or if the user has no subscriptions they can access for this resource), $policies remains empty. The code then falls through to if ($policies.Count -eq 0) { $passed = $false }.
Result: A user with no permissions will receive a Fail result ("No Azure Front Door WAF policies found") instead of a Skip (NoAzureAccess).
Recommendation: Implement a flag (e.g., $anySuccessfulAccess) to track if any subscription was successfully queried. If 0 policies are found AND no subscriptions were successfully queried (all were 403 or error), return SkippedBecause NoAzureAccess.
Pass/Fail Logic for "No Policies":
The code fails if "No Azure Front Door WAF policies found". This matches the Spec exactly ("Fail: ... No Azure Front Door WAF policies found").
Warning: This implies that usage of Azure Front Door WAF is mandatory for all tenants running this assessment. If a customer typically does not use Azure Front Door, they will fail this test.
Please, confirm with the spec owner that this intent is correct.
praneeth-0000
force-pushed
the
Feature-25543
branch
from
dcf0572 to
8420c60
Compare
Azure Front Door WAF is Enabled in Protection Mode