From ee02a0af9113f78c5ed1c68e2afe4dc593ce235b Mon Sep 17 00:00:00 2001 From: Praneeth Date: Thu, 29 Jan 2026 11:03:19 +0530 Subject: [PATCH 1/2] initial commit --- src/powershell/tests/Test-Assessment.25543.md | 13 ++ .../tests/Test-Assessment.25543.ps1 | 188 ++++++++++++++++++ 2 files changed, 201 insertions(+) create mode 100644 src/powershell/tests/Test-Assessment.25543.md create mode 100644 src/powershell/tests/Test-Assessment.25543.ps1 diff --git a/src/powershell/tests/Test-Assessment.25543.md b/src/powershell/tests/Test-Assessment.25543.md new file mode 100644 index 000000000..b78414310 --- /dev/null +++ b/src/powershell/tests/Test-Assessment.25543.md @@ -0,0 +1,13 @@ +Azure Front Door is a global, edge-based application delivery service that provides Layer 7 load balancing and acceleration. Web Application Firewall (WAF) in Azure Front Door protects web applications from common exploits and vulnerabilities such as SQL injection, cross-site scripting, and other OWASP Top 10 threats. + +Azure Front Door WAF operates in two modes: Detection and Prevention. Detection mode evaluates incoming HTTP/S requests against managed and custom WAF rules and logs matched requests for visibility and analysis, but it does not block traffic. Prevention mode evaluates requests in the same way but also actively blocks malicious requests that violate WAF rules, preventing them from reaching the backend application. Running WAF in Prevention mode is crucial for actively protecting applications against common web attacks. + +This check verifies that WAF is configured in Prevention mode, ensuring that identified threats are blocked before reaching your application. If WAF is in Detection mode, the check fails because malicious traffic will only be logged, not prevented, leaving applications exposed to exploitation. + +**Remediation action** + +- [Configure Web Application Firewall (WAF) for Azure Front Door](https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview) +- [Policy settings for Web Application Firewall in Azure Front Door](https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-policy-settings#waf-mode) + + +%TestResult% diff --git a/src/powershell/tests/Test-Assessment.25543.ps1 b/src/powershell/tests/Test-Assessment.25543.ps1 new file mode 100644 index 000000000..46ad4d03c --- /dev/null +++ b/src/powershell/tests/Test-Assessment.25543.ps1 @@ -0,0 +1,188 @@ +<# +.SYNOPSIS + Validates that Azure Front Door WAF is enabled in Prevention Mode. + +.DESCRIPTION + This test validates that Azure Front Door Web Application Firewall policies are configured + in Prevention mode to actively block malicious requests. Checks all Front Door WAF policies + across all subscriptions and reports their protection mode status. + +.NOTES + Test ID: 25543 + Category: Azure Network Security + Required API: Azure Front Door WAF Policies +#> + +function Test-Assessment-25543 { + [ZtTest( + Category = 'Azure Network Security', + ImplementationCost = 'Low', + MinimumLicense = ('Azure WAF on Azure Front Door Premium SKU', 'Azure Standard SKU'), + Pillar = 'Network', + RiskLevel = 'High', + SfiPillar = 'Protect networks', + TenantType = ('Workforce'), + TestId = 25543, + Title = 'Azure Front Door WAF is Enabled in Prevention Mode', + UserImpact = 'Low' + )] + [CmdletBinding()] + param() + + #region Data Collection + Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose + + $activity = 'Checking Azure Front Door WAF Protection Mode' + + # Check if connected to Azure + Write-ZtProgress -Activity $activity -Status 'Checking Azure connection' + + $azContext = Get-AzContext -ErrorAction SilentlyContinue + if (-not $azContext) { + Write-PSFMessage 'Not connected to Azure.' -Level Warning + Add-ZtTestResultDetail -SkippedBecause NotConnectedAzure + return + } + + Write-ZtProgress -Activity $activity -Status 'Enumerating subscriptions' + + # Initialize variables + $subscriptions = @() + $policies = @() + $apiVersion = "2025-03-01" + + try { + $subscriptions = @(Get-AzSubscription -ErrorAction Stop) + } + catch { + Write-PSFMessage "Unable to retrieve Azure subscriptions: $_" -Level Warning + } + + if ($subscriptions.Count -eq 0) { + Write-PSFMessage "No Azure subscriptions found." -Level Warning + Add-ZtTestResultDetail -SkippedBecause NoAzureAccess + return + } + + # Collect WAF policies from all subscriptions + foreach ($sub in $subscriptions) { + Write-ZtProgress -Activity $activity -Status "Checking subscription: $($sub.Name)" + + $path = "/subscriptions/$($sub.Id)/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies?api-version=$apiVersion" + $response = Invoke-AzRestMethod -Path $path -ErrorAction SilentlyContinue + + # Handle access denied for this subscription - skip and continue to next + if ($response.StatusCode -eq 403) { + Write-PSFMessage "Access denied to subscription '$($sub.Name)'. Skipping." -Level Verbose + continue + } + + # Handle other HTTP errors - skip this subscription + if ($response.StatusCode -ge 400) { + Write-PSFMessage "Error querying subscription '$($sub.Name)': HTTP $($response.StatusCode). Skipping." -Level Warning + continue + } + + # No content or no policies in this subscription + if (-not $response.Content) { + continue + } + + $policiesJson = $response.Content | ConvertFrom-Json + + if (-not $policiesJson.value -or $policiesJson.value.Count -eq 0) { + continue + } + + # Collect policies from this subscription + foreach ($policyResource in $policiesJson.value) { + $policies += [PSCustomObject]@{ + SubscriptionId = $sub.Id + SubscriptionName = $sub.Name + PolicyName = $policyResource.name + PolicyId = $policyResource.id + EnabledState = $policyResource.properties.policySettings.enabledState + Mode = $policyResource.properties.policySettings.mode + } + } + } + #endregion Data Collection + + #region Assessment Logic + $passed = $false + + if ($policies.Count -eq 0) { + $passed = $false + $testResultMarkdown = "❌ No Azure Front Door WAF policies found across subscriptions.`n`n%TestResult%" + } + else { + # Check if all policies are enabled and in Prevention mode + $allCompliant = $true + foreach ($policy in $policies) { + if ($policy.EnabledState -ne 'Enabled' -or $policy.Mode -ne 'Prevention') { + $allCompliant = $false + break + } + } + + if ($allCompliant) { + $passed = $true + $testResultMarkdown = "✅ All Azure Front Door WAF policies are enabled in **Prevention** mode.`n`n%TestResult%" + } + else { + $passed = $false + $testResultMarkdown = "❌ One or more Azure Front Door WAF policies are either in **Disabled** state or in **Detection** mode.`n`n%TestResult%" + } + } + #endregion Assessment Logic + + #region Report Generation + $mdInfo = '' + + if ($policies.Count -gt 0) { + # Table title + $reportTitle = 'Azure Front Door WAF Policies' + $portalLink = "https://portal.azure.com/#view/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/~/wafMenuItem" + + # Prepare table rows + $tableRows = '' + foreach ($item in $policies) { + $policyLink = "https://portal.azure.com/#resource$($item.PolicyId)" + $subLink = "https://portal.azure.com/#resource/subscriptions/$($item.SubscriptionId)" + $policyMd = "[$(Get-SafeMarkdown $item.PolicyName)]($policyLink)" + $subMd = "[$(Get-SafeMarkdown $item.SubscriptionName)]($subLink)" + + # Calculate status indicators + $policyStatus = if ($item.EnabledState -eq 'Enabled' -and $item.Mode -eq 'Prevention') { '✅' } else { '❌' } + $modeDisplay = if ($item.Mode -eq 'Prevention') { '✅ Prevention' } else { '❌ Detection' } + $enabledStateDisplay = if ($item.EnabledState -eq 'Enabled') { '✅ Enabled' } else { '❌ Disabled' } + + $tableRows += "| $policyMd | $subMd | $enabledStateDisplay | $modeDisplay | $policyStatus |`n" + } + + $formatTemplate = @' + + +## [{0}]({1}) + +| Policy name | Subscription name | Enabled state | WAF mode | Status | +| :---------- | :---------------- | :-----------: | :------: | :----: | +{2} + +'@ + + $mdInfo = $formatTemplate -f $reportTitle, $portalLink, $tableRows.TrimEnd("`n") + } + + $testResultMarkdown = $testResultMarkdown -replace '%TestResult%', $mdInfo + #endregion Report Generation + + $params = @{ + TestId = '25543' + Title = 'Azure Front Door WAF is Enabled in Prevention Mode' + Status = $passed + Result = $testResultMarkdown + } + + Add-ZtTestResultDetail @params +} From 8420c60973dfae082bdf0a67a6b85950dfb46e02 Mon Sep 17 00:00:00 2001 From: Praneeth Date: Thu, 29 Jan 2026 13:19:26 +0530 Subject: [PATCH 2/2] copilot comments fix --- src/powershell/tests/Test-Assessment.25543.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/powershell/tests/Test-Assessment.25543.ps1 b/src/powershell/tests/Test-Assessment.25543.ps1 index 46ad4d03c..9c8a6a2da 100644 --- a/src/powershell/tests/Test-Assessment.25543.ps1 +++ b/src/powershell/tests/Test-Assessment.25543.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION This test validates that Azure Front Door Web Application Firewall policies are configured in Prevention mode to actively block malicious requests. Checks all Front Door WAF policies - across all subscriptions and reports their protection mode status. + across all subscriptions and reports their prevention/detection mode status. .NOTES Test ID: 25543 @@ -32,7 +32,7 @@ function Test-Assessment-25543 { #region Data Collection Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose - $activity = 'Checking Azure Front Door WAF Protection Mode' + $activity = 'Checking Azure Front Door WAF policies configuration' # Check if connected to Azure Write-ZtProgress -Activity $activity -Status 'Checking Azure connection'