Network - 26884 - Bot protection ruleset is enabled and assigned in Azure Front Door WAF#938
Network - 26884 - Bot protection ruleset is enabled and assigned in Azure Front Door WAF#938aahmed-spec wants to merge 5 commits intomainfrom
Conversation
aahmed-spec
requested review from
SagarSathe,
alexandair,
merill and
tdetzner
There was a problem hiding this comment.
Pull request overview
Adds a new PowerShell assessment test (ID 26884) to evaluate whether Azure Front Door Premium profiles have the Bot Manager ruleset enabled in the associated WAF policy and assigned via security policies, plus accompanying markdown guidance for the report output.
Changes:
- Introduces
Test-Assessment-26884to discover Front Door profiles, security policies, and WAF policy managed rulesets and report pass/fail. - Generates markdown report tables summarizing bot protection status across Premium profiles and “skipped” Standard profiles.
- Adds remediation/documentation content for test 26884.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| src/powershell/tests/Test-Assessment.26884.ps1 | New assessment implementation for Front Door WAF Bot Manager ruleset enablement/assignment, with markdown reporting. |
| src/powershell/tests/Test-Assessment.26884.md | New test description/remediation markdown consumed by report generation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
alexandair
left a comment
alexandair
left a comment
There was a problem hiding this comment.
@aahmed-spec Please, address my feedback.
alexandair
left a comment
alexandair
left a comment
There was a problem hiding this comment.
@aahmed-spec Please, address my feedback.
alexandair
left a comment
alexandair
left a comment
There was a problem hiding this comment.
@aahmed-spec Please, address my feedback.
| if ($associations) { | ||
| foreach ($assoc in $associations) { | ||
| if ($assoc.domains) { | ||
| $domainsProtected += $assoc.domains.Count |
There was a problem hiding this comment.
The $domainsProtected counter accumulates domains from ALL security policies in the loop, not just the one with bot protection. If a profile has two security policies where only the second has bot protection, the domain count includes domains from the first (non-bot-protected) policy.
This doesn't affect pass/fail logic but produces inaccurate "Domains Protected" values in the output table.
Fix: Reset $domainsProtected when evaluating each security policy or only count domains from the security policy whose WAF has bot protection.
| $ruleSetAction = $ruleSet.ruleSetAction | ||
| } | ||
| else { | ||
| $ruleSetAction = 'Block (default)' |
There was a problem hiding this comment.
When ruleSetAction is null on a Bot Manager rule set, individual rules' built-in actions apply per bot category — it is not a blanket "Block". The current fallback of 'Block (default)' is inaccurate. Recommend changing to 'Per-rule defaults' or simply 'Not set'.
https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview#waf-actions
| @@ -0,0 +1,21 @@ | |||
| Azure Front Door is a global, scalable entry point that uses the Microsoft global edge network to deliver fast, secure, and highly scalable web applications. Web Application Firewall (WAF) integrated with Azure Front Door provides protection against common web exploits and vulnerabilities at the network edge. The Bot Manager rule set is a managed rule set available exclusively in Azure Front Door Premium SKU that provides protection against malicious bots while allowing legitimate bots such as search engine crawlers to access your applications. When bot protection is not enabled, threat actors can deploy automated attacks against web applications including credential stuffing attacks that test stolen username/password combinations at scale, web scraping that extracts sensitive data or intellectual property, inventory hoarding bots that deplete product availability, and application-layer DDoS attacks that exhaust backend resources. The Bot Manager rule set categorizes bots into good bots, bad bots, and unknown bots, allowing security teams to configure appropriate actions for each category. Bad bots can be blocked or challenged with CAPTCHA, while good bots like Googlebot and Bingbot are allowed through. Without bot protection, organizations lack visibility into bot traffic patterns and cannot distinguish between human users and automated clients, making it impossible to defend against sophisticated bot-driven attacks that bypass traditional rate limiting and IP-based controls. | |||
|
|
|||
| **Remediation action** | |||
There was a problem hiding this comment.
"Remediation action" section doesn't match the spec.
Resource 5 is missing.
Bot protection ruleset is enabled and assigned in Azure Front Door WAF
spec