Ensure Application Gateway WAF is enabled in Prevention mode

Azure Remediation

Service-wide fix (recommended): require a WAF policy on internet-facing Application Gateways and standardize a controlled move from Detection to Prevention after tuning exclusions and custom rules.

When to use service-wide remediation

Use the service-wide path when many gateways are affected or when teams create gateways without a standard WAF policy.

Azure portal

1. Open the Application Gateway.
2. Associate an existing WAF policy, or create one if none exists.
3. Review false positives, exclusions, and any required custom rules.
4. Set the WAF mode to Prevention.
5. Confirm diagnostic logging is enabled so blocked requests are still visible during operations.

Azure CLI

Set the WAF policy mode to Prevention:

az network application-gateway waf-policy policy-setting update \
  --resource-group <resource-group> \
  --policy-name <waf-policy-name> \
  --mode Prevention

Validate the policy mode:

az network application-gateway waf-policy policy-setting list \
  --resource-group <resource-group> \
  --policy-name <waf-policy-name>

Operational notes

• Microsoft recommends running a new WAF briefly in Detection mode first so you can tune exclusions before enforcing blocks in production.
• If a gateway has no WAF policy attached, fixing only the mode is not enough. You must first attach a valid WAF policy.

References

• https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
• https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview
• https://learn.microsoft.com/en-us/cli/azure/network/application-gateway/waf-policy/policy-setting?view=azure-cli-lts