Merge pull request #246841 from paulth1/front-door-waf-articles_batch1

[AQ] edit pass: Front door waf articles batch1

Author: ShawnJackson

articles/web-application-firewall/afds/waf-front-door-exclusion.md

@@ -1,6 +1,6 @@
 ---
 title: Web application firewall exclusion lists in Azure Front Door
-description: This article provides information on exclusion lists configuration in Azure Front Door.
+description: This article provides information on exclusion list configuration in Azure Front Door.
 services: web-application-firewall
 author: vhorne
 ms.service: web-application-firewall
@@ -9,67 +9,67 @@ ms.author: victorh
 ms.topic: conceptual
 ---
 
-# Web Application Firewall (WAF) with Front Door exclusion lists
+# Web Application Firewall with Azure Front Door exclusion lists
 
-Sometimes the Front Door Web Application Firewall (WAF) might block a legitimate request. As part of tuning your WAF, you can configure the WAF to allow the request for your application. WAF exclusion lists allow you to omit specific request attributes from a WAF evaluation. The rest of the request is evaluated as normal.
+Sometimes Azure Web Application Firewall in Azure Front Door might block a legitimate request. As part of tuning your web application firewall (WAF), you can configure the WAF to allow the request for your application. WAF exclusion lists allow you to omit specific request attributes from a WAF evaluation. The rest of the request is evaluated as normal.
 
-For example, Azure Active Directory provides tokens that are used for authentication. When used in a request header, these tokens can contain special characters that might trigger a false positive detection by one or more WAF rules. You can add the header to an exclusion list, which tells the WAF to ignore the header. The WAF still inspects the rest of the request for suspicious content.
+For example, Azure Active Directory provides tokens that are used for authentication. When these tokens are used in a request header, they can contain special characters that might trigger a false positive detection by one or more WAF rules. You can add the header to an exclusion list, which tells the WAF to ignore the header. The WAF still inspects the rest of the request for suspicious content.
 
 ## Exclusion scopes
 
 You can create exclusions at the following scopes:
 
-- **Rule set** exclusions apply to all rules within a rule set.
-- **Rule group** exclusions apply to all of the rules of a particular category within a rule set. For example, you can configure an exclusion that applies to all of the SQL injection rules.
-- **Rule** exclusions apply to a single rule.
+- **Rule set**: These exclusions apply to all rules within a rule set.
+- **Rule group**: These exclusions apply to all the rules of a particular category within a rule set. For example, you can configure an exclusion that applies to all the SQL injection rules.
+- **Rule**: These exclusions apply to a single rule.
 
 ## Exclusion selectors
 
-Exclusion selectors identify the parts of requests that the exclusion applies to. The WAF ignores any detections that it finds in the specified parts of the request. You can specify multiple exclusion selectors in a single exclusion.
+Exclusion selectors identify the parts of requests to which the exclusion applies. The WAF ignores any detections that it finds in the specified parts of the request. You can specify multiple exclusion selectors in a single exclusion.
 
 Each exclusion selector specified a match variable, an operator, and a selector.
 
 ### Match variables
 
-The following request attributes can be added to an exclusion:
+You can add the following request attributes to an exclusion:
 
 * Request header name
 * Request cookie name
 * Query string args name
 * Request body POST args name
 * Request body JSON args name *(supported on DRS 2.0 or greater)*
 
-The values of the fields you use aren't evaluated against WAF rules, but their names are evaluated. The exclusion lists disable inspection of the field's value. However, the field names are still evaluated. For more information, see [Excluding other request attributes](#exclude-other-request-attributes).
+The values of the fields you use aren't evaluated against WAF rules, but their names are evaluated. The exclusion lists disable inspection of the field's value. However, the field names are still evaluated. For more information, see [Exclude other request attributes](#exclude-other-request-attributes).
 
 ### Operators
 
-You can specify an exact request header, body, cookie, or query string attribute to match. Or, you can optionally specify partial matches. The following operators are supported for match criteria:
+You can specify an exact request header, body, cookie, or query string attribute to match. Or you can optionally specify partial matches. The following operators are supported for match criteria:
 
-- **Equals**: Match all request fields that exactly match the specified selector value. For example, to select a header named **bearerToken**, use the *Equals* operator with the selector set to **bearerToken**.
+- **Equals**: Match all request fields that exactly match the specified selector value. For example, to select a header named **bearerToken**, use the `Equals` operator with the selector set to **bearerToken**.
 - **Starts with**: Match all request fields that start with the specified selector value.
-- **Ends with**:  Match all request fields that end with the specified selector value.
+- **Ends with**: Match all request fields that end with the specified selector value.
 - **Contains**: Match all request fields that contain the specified selector value.
-- **Equals any**: Match all request fields. When you use the *Equals any* operator, the selector value is automatically set to _*_. For example, you can use the *Equals any* operator to configure an exclusion that applies to all request headers.
+- **Equals any**: Match all request fields. When you use the `Equals any` operator, the selector value is automatically set to `*`. For example, you can use the `Equals any` operator to configure an exclusion that applies to all request headers.
 
 ### Case sensitivity
 
 Header and cookie names are case insensitive. Query strings, POST arguments, and JSON arguments are case sensitive.
 
 ### Body contents inspection
 
-Some of the managed rules evaluate the raw payload of the request body, before it's parsed into POST arguments or JSON arguments. So, in some situations you might see log entries with a matchVariableName of `InitialBodyContents` or `DecodedInitialBodyContents`.
+Some of the managed rules evaluate the raw payload of the request body before it's parsed into POST arguments or JSON arguments. So in some situations, you might see log entries with a `matchVariableName` value of `InitialBodyContents` or `DecodedInitialBodyContents`.
 
-For example, suppose you create an exclusion with a match variable of *Request body POST args* and a selector to identify and ignore POST arguments named *FOO*. You'll no longer see any log entries with a matchVariableName of `PostParamValue:FOO`. However, if a POST argument named *FOO* contains text that triggers a rule, the log might show the detection in the initial body contents. You can't currently create exclusions for initial body contents.
+For example, suppose you create an exclusion with a match variable of `Request body POST args` and a selector to identify and ignore POST arguments named `FOO`. You no longer see any log entries with a `matchVariableName` value of `PostParamValue:FOO`. However, if a POST argument named `FOO` contains text that triggers a rule, the log might show the detection in the initial body contents. You can't currently create exclusions for initial body contents.
 
-## <a name="define-exclusion-based-on-web-application-firewall-logs"></a> Define exclusion rules based on Web Application Firewall logs
+## <a name="define-exclusion-based-on-web-application-firewall-logs"></a> Define exclusion rules based on Azure Web Application Firewall logs
 
-[Azure Web Application Firewall monitoring and logging](waf-front-door-monitor.md) describes how you can use logs to view the details of a blocked request, including the parts of the request that triggered the rule.
+You can use logs to view the details of a blocked request, including the parts of the request that triggered the rule. For more information, see [Azure Web Application Firewall monitoring and logging](waf-front-door-monitor.md).
 
 Sometimes a specific WAF rule produces false positive detections from the values included in a request header, cookie, POST argument, query string argument, or JSON field in a request body. If these false positive detections happen, you can configure the rule to exclude the relevant part of the request from its evaluation.
 
 The following table shows example values from WAF logs and the corresponding exclusion selectors that you could create.
 
-| matchVariableName from WAF logs | Rule exclusion in Portal |
+| matchVariableName from WAF logs | Rule exclusion in portal |
 |-|-|
 | CookieValue:SOME_NAME	| Request cookie name Equals SOME_NAME |
 | HeaderValue:SOME_NAME	| Request header name Equals SOME_NAME |
@@ -98,20 +98,20 @@ From DRS version 2.0, JSON request bodies are inspected by the WAF. For example,
 
 The request includes a SQL comment character sequence, which the WAF detects as a potential SQL injection attack.
 
-If you determine that the request is legitimate, you could create an exclusion with a match variable of *Request body JSON args name*, an operator of *Equals*, and a selector of *posts.comment*.
+If you determine that the request is legitimate, you could create an exclusion with a match variable of `Request body JSON args name`, an operator of `Equals`, and a selector of `posts.comment`.
 
 ## Exclude other request attributes
 
-If your WAF log entry shows a matchVariableName that isn't in the table above, you can't create an exclusion. For example, you can't currently create exclusions for cookie names, header names, POST parameter names, or query parameter names.
+If your WAF log entry shows a `matchVariableName` value that isn't in the preceding table, you can't create an exclusion. For example, you can't currently create exclusions for cookie names, header names, POST parameter names, or query parameter names.
 
 Instead, consider taking one of the following actions:
 
 - Disable the rules that give false positives.
 - Create a custom rule that explicitly allows those requests. The requests bypass all WAF inspection.
 
-In particular, when the matchVariableName is `CookieName`, `HeaderName`, `PostParamName`, or `QueryParamName`, it means the name of the field, rather than its value, has triggered the rule. Rule exclusion has no support for these matchVariableNames at this time.
+In particular, when the `matchVariableName` value is `CookieName`, `HeaderName`, `PostParamName`, or `QueryParamName`, it means the name of the field, rather than its value, has triggered the rule. Rule exclusion has no support for these `matchVariableName` values at this time.
 
 ## Next steps
 
-- [Configure exclusion lists on your Front Door WAF](waf-front-door-exclusion-configure.md)
-- After you configure your WAF settings, learn how to view your WAF logs. For more information, see [Front Door diagnostics](../afds/waf-front-door-monitor.md).
+- [Configure exclusion lists on your Azure Front Door WAF](waf-front-door-exclusion-configure.md).
+- After you configure your WAF settings, learn how to view your WAF logs. For more information, see [Azure Front Door diagnostics](../afds/waf-front-door-monitor.md).

articles/web-application-firewall/afds/waf-front-door-geo-filtering.md

@@ -1,6 +1,6 @@
 ---
-title: Geo-filtering on a domain for Azure Front Door Service
-description: In this article, you learn about geo-filtering policy for Azure Front Door Service
+title: Geo-filtering on a domain for Azure Front Door
+description: In this article, you learn about the geo-filtering policy for Azure Front Door.
 services: web-application-firewall
 author: vhorne
 ms.service: web-application-firewall
@@ -9,17 +9,20 @@ ms.date: 08/31/2021
 ms.author: victorh
 ---
 
-# What is geo-filtering on a domain for Azure Front Door Service?
+# What is geo-filtering on a domain for Azure Front Door?
 
-By default, Azure Front Door will respond to all user requests regardless of the location where the request is coming from. In some scenarios, you may want to restrict the access to your web application by countries/regions. The Web application firewall (WAF) service in Front Door enables you to define a policy using custom access rules for a specific path on your endpoint to either allow or block access from specified countries/regions.
+By default, Azure Front Door responds to all user requests regardless of the location where the request comes from. In some scenarios, you might want to restrict access to your web application by countries or regions. You can use Azure Web Application Firewall in Azure Front Door to define a policy by using custom access rules for a specific path on your endpoint to allow or block access from specified countries or regions.
 
-A WAF policy contains a set of custom rules. The rule consists of match conditions, an action, and a priority. In a match condition, you define a match variable, operator, and match value. For a geo filtering rule, a match variable is either RemoteAddr or SocketAddr. RemoteAddr is the original client IP that is usually sent via X-Forwarded-For request header. SocketAddr is the source IP address WAF sees. If your user is behind a proxy, SocketAddr is often the proxy server address.
-The operator in the case of this geo filtering rule is GeoMatch, and the value is a two letter country/region code of interest. "ZZ" country code or "Unknown" country captures IP addresses that are not yet mapped to a country in our dataset. You may add ZZ to your match condition to avoid false positives. You can combine a GeoMatch condition and a REQUEST_URI string match condition to create a path-based geo-filtering rule.
+A web application firewall (WAF) policy contains a set of custom rules. The rule consists of match conditions, an action, and a priority. In a match condition, you define a match variable, operator, and match value.
 
-You can configure a geo-filtering policy for your Front Door by using [Azure PowerShell](../../frontdoor/front-door-tutorial-geo-filtering.md) or by using a [quickstart template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-geo-filtering).
+For a geo-filtering rule, the match variable is either `RemoteAddr` or `SocketAddr`. The `RemoteAddr` variable is the original client IP that's usually sent via the `X-Forwarded-For` request header. `SocketAddr` is the source IP address WAF sees. If your user is behind a proxy, the `SocketAddr` variable is usually the IP address of the proxy server.
+
+The operator for this geo-filtering rule is `GeoMatch`. The value is a two-letter country or region code of interest. The `ZZ` country code or `Unknown` country captures IP addresses that aren't yet mapped to a country in our dataset. You can add `ZZ` to your match condition to avoid false positives. You can combine a `GeoMatch` condition and a `REQUEST_URI` string match condition to create a path-based geo-filtering rule.
+
+You can configure a geo-filtering policy for your Azure Front Door instance by using [Azure PowerShell](../../frontdoor/front-door-tutorial-geo-filtering.md) or a [Bicep file or Azure Resource Manager template](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.cdn/front-door-standard-premium-geo-filtering/).
 
 > [!IMPORTANT]
-> Include the country code **ZZ** whenever you use geo-filtering. The **ZZ** country code (or *Unknown* country) captures IP addresses that are not yet mapped to a country in our dataset. This avoids false positives.
+> Include the country code `ZZ` whenever you use geo-filtering. The `ZZ` country code (or `Unknown` country) captures IP addresses that aren't yet mapped to a country in our dataset. Use this code to avoid false positives.
 
 ## Country/Region code reference
 
@@ -54,7 +57,7 @@ You can configure a geo-filtering policy for your Front Door by using [Azure Pow
 | BM | Bermuda|
 | BN | Brunei|
 | BO | Bolivia|
-| BQ | Bonaire, Sint Eustatius and Saba|
+| BQ | Bonaire, Sint Eustatius, and Saba|
 | BR | Brazil|
 | BS | Bahamas|
 | BT | Bhutan|
@@ -276,7 +279,5 @@ You can configure a geo-filtering policy for your Front Door by using [Azure Pow
 
 ## Next steps
 
-- Learn about [application layer security with Front Door](../../frontdoor/front-door-application-security.md).
-- Learn how to [create a Front Door](../../frontdoor/quickstart-create-front-door.md).
-
-
+- Learn about [application layer security with Azure Front Door](../../frontdoor/front-door-application-security.md).
+- Learn how to [create an instance of Azure Front Door](../../frontdoor/quickstart-create-front-door.md).