Merge pull request #277691 from vhorne/waf-ag-jschallenge

Start AG WAF JS challenge

Author: PMEds28

articles/web-application-firewall/ag/application-gateway-waf-metrics.md

@@ -38,9 +38,12 @@ New WAF metrics are only available for Core Rule Set 3.2 or greater, or with bot
 |**WAF Managed Rule Matches**|Count of total managed rule matches| Action, Country/Region, Mode, Policy Name, Policy Scope, Rule Group, Rule ID, Rule Set Name|
 |**WAF Custom Rule Matches**|Count of custom rule matches| Action, Country/Region, Mode, Policy Name, Policy Scope, Rule Name|
 |**WAF Bot Protection Matches**<sup>1</sup>|Count of total bot protection rule matches that have been blocked or logged from malicious IP addresses. The IP addresses are sourced from the Microsoft Threat Intelligence feed.| Action, Country/Region, Bot Type, Mode, Policy Name, Policy Scope|
+|**WAF JS Challenge Request Count**|Count the number of requests that match JS Challenge WAF rules.|Action, Policy Name, Policy Scope, Rule<sup>2</sup>|
 
 <sup>1</sup> Only Bot Manager Rule Set 0.1 will be displayed under “WAF Bot Protection Matches”. Requests matching Bot Manager Rule Set 1.0 will increase “WAF Total Requests” metrics, not “WAF Bot Protection Matches”.
 
+<sup>2</sup> Rule name for custom rules and Rule ID for the Bot Manager Rule Set.
+
 For metrics supported by Application Gateway V2 SKU, see [Application Gateway v2 metrics](../../application-gateway/application-gateway-metrics.md#metrics-supported-by-application-gateway-v2-sku)
 
 ## Application Gateway WAF v1 Metrics

articles/web-application-firewall/ag/web-application-firewall-logs.md

@@ -225,7 +225,7 @@ The firewall log is generated only if you have enabled it for each application g
 |ruleSetVersion     | Rule set version used. Available values are 2.2.9 and 3.0.     |
 |ruleId     | Rule ID of the triggering event.        |
 |message     | User-friendly message for the triggering event. More details are provided in the details section.        |
-|action     |  **Policy Mode:** Detection</br>   - **Detected** - This is the only action for the WAF when in detection mode. All the conditions for a given rule were matched and the request was logged then passed to the backend.</br></br>**Policy Mode:** Prevention</br>   - **Allowed** - All conditions were matched for a given rule and the request was passed to the backend.</br>   - **Blocked** - All of the conditions were matched for a given rule and the request was blocked.</br>   - **Matched** - One/more conditions were matched for a given rule, but the decision to block or pass the request will need further evaluation and will be evaluated based on the final anomaly scoring rule.      |
+|action     |**Policy Mode:** Detection</br>- **Detected** - This is the only action for the WAF when in detection mode. All the conditions for a given rule were matched and the request was logged then passed to the backend.</br></br>**Policy Mode:** Prevention</br>   - **Allowed** - All conditions were matched for a given rule and the request was passed to the backend.</br>   - **Blocked** - All of the conditions were matched for a given rule and the request was blocked.</br>   - **Matched** - One/more conditions were matched for a given rule, but the decision to block or pass the request will need further evaluation and will be evaluated based on the final anomaly scoring rule.<br><br>**Policy Mode:** JS challenge<br>- **JSChallengeIssued**: Issued due to missing/invalid challenge clearance, missing answer.<br><br>This log is created when a client requests access to a web application for the first time and has not been challenged previously. This client receives the JS challenge page and proceeds to compute the JS challenge. Upon successful computation, the client is granted the validity cookie.<br><br>- **JSChallengePass**: Passed due to valid challenge answer.<br><br>This log is created when a client solves the JS challenge and resubmits the request with the correct answer. In this case, Azure WAF validates the cookie and proceeds to process the remaining rules without generating another JS challenge.<br><br>- **JSChallengeValid**: Logged/passthrough due to valid challenge<br><br>This log is created when a client has previously solved a challenge. In this case, Azure WAF logs the request and proceeds to process the remaining rules.<br><br>- **JSChallengeBlock**: Blocked<br><br>This log is created when a JS challenge computation fails.   |
 |site     | Site for which the log was generated. Currently, only Global is listed because rules are global.|
 |details     | Details of the triggering event.        |
 |details.message     | Description of the rule.        |

articles/web-application-firewall/waf-javascript-challenge.md

@@ -4,7 +4,7 @@ description: This article is an overview of the Azure Web Application Firewall J
 services: web-application-firewall
 author: sowmyam2019
 ms.service: web-application-firewall
-ms.date: 05/20/2024
+ms.date: 06/12/2024
 ms.author: victorh
 ms.topic: concept-article
 
@@ -17,21 +17,26 @@ ms.topic: concept-article
 > Azure Web Application Firewall JavaScript challenge is currently in PREVIEW.
 > See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
-Azure Web Application Firewall (WAF) on Azure Front Door offers a JavaScript challenge feature as one of the mitigation options for advanced bot protection. It's available on the Azure Front Door premium version as an action in the custom rule set and the Bot Manager 1.x ruleset.
+Azure Web Application Firewall (WAF) on Azure Front Door and Azure Application Gateway offers a JavaScript challenge feature as one of the mitigation options for advanced bot protection. For Azure Front Door, It's available on the premium version as an action in the custom rule set and the Bot Manager 1.x ruleset.
 
-The JavaScript challenge is an invisible web challenge used to distinguish between legitimate users and bots. Malicious bots fail the challenge, which protects web applications. In addition, the JavaScript challenge is beneficial as it reduces friction for legitimate users. This is because it doesn't require any human intervention.
+The JavaScript challenge is an invisible web challenge used to distinguish between legitimate users and bots. Malicious bots fail the challenge, which protects web applications. In addition, the JavaScript challenge is beneficial as it reduces friction for legitimate users because it doesn't require any human intervention.
 
 ## How it works
 
  When the JS Challenge is active on Azure WAF and a client's HTTP(s) request matches a specific rule, the client is shown a Microsoft JS challenge page. The user sees this page for a few seconds while the user’s browser computes the challenge. The client's browser must successfully compute a JavaScript challenge on this page to receive validation from Azure WAF. When the computation succeeds, WAF validates the request as a nonbot client and runs the rest of the WAF rules. Requests that fail to successfully compute the challenge are blocked.
 
+Cross-origin resource sharing (CORS) requests are challenged on each access attempt. So if a client accesses a page that triggers the JavaScript challenge from a domain different from the domain hosting the challenge, the client faces the challenge again even if the client previously passed the challenge.
+
+In addition, if a client solves the JavaScript challenge and then the client’s IP address changes, the challenge is issued again.
+
+
 Here's an example JavaScript challenge page:
 
 :::image type="content" source="media/waf-javascript-challenge/javascript-challenge-page.png" alt-text="Screenshot showing the JavaScript challenge page.":::
 
 ## Expiration
 
-The WAF policy setting defines the JavaScript challenge cookie validity lifetime in minutes. The user is challenged after the lifetime expires. The lifetime is an integer between 5 and 1440 and the default is 30 minutes. The JavaScript challenge cookie name is `afd_azwaf_jsclearance`.
+The WAF policy setting defines the JavaScript challenge cookie validity lifetime in minutes. The user is challenged after the lifetime expires. The lifetime is an integer between 5 and 1,440 minutes and the default is 30 minutes. The JavaScript challenge cookie name is `afd_azwaf_jsclearance` on Azure Front Door, and `appgw_azwaf_jsclearance` on Azure Application Gateway.
 
 > [!NOTE]
 > The JavaScript challenge expiration cookie is injected into the user’s browser after successfully completing the challenge.
@@ -41,5 +46,4 @@ The WAF policy setting defines the JavaScript challenge cookie validity lifetime
 - AJAX and API calls aren't supported.
 - If the first call that receives a JavaScript challenge has a POST body size greater than 128 KB, it blocks it. Additionally, challenges for non-HTML resources embedded in a page aren't supported. For example images, css, js, and so on. However, if there's a prior successful JavaScript challenge request, then the previous limitations are removed.
 - The challenge isn't supported on Microsoft Internet Explorer. The challenge is supported on the latest versions of the Microsoft Edge, Chrome, Firefox, and Safari web browsers.
-- Cross-origin resource sharing (CORS) requests result in a challenge loop. If you visit a page that triggers the JavaScript challenge action from a domain that isn't the same as the domain running the JavaScript challenge, you're challenged regardless of prior challenge passes.
-- If one IP address receives the JavaScript challenge and a different IP address solves it, the computation result becomes invalid, potentially causing a challenge loop.
+- The JavaScript challenge action on Web Application Firewall on Application Gateway isn't supported for *Rate Limit* type custom rules during the public preview.