You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
description: This article is an overview of Web Application Firewall (WAF) global, per-site, and per-URI policies.
4
4
services: web-application-firewall
5
5
ms.topic: concept-article
6
-
author: winthrop28
6
+
author: vhorne
7
7
ms.service: azure-web-application-firewall
8
-
ms.date: 10/06/2023
8
+
ms.date: 01/14/2025
9
9
ms.author: victorh
10
10
---
11
11
@@ -42,15 +42,15 @@ Say you have three sites: contoso.com, fabrikam.com, and adatum.com all behind t
42
42
43
43
You can apply a global policy to the WAF, with some basic settings, exclusions, or custom rules if necessary to stop some false positives from blocking traffic. In this case, there's no need to have global SQL injection rules running because fabrikam.com and contoso.com are static pages with no SQL backend. So you can disable those rules in the global policy.
44
44
45
-
This global policy is suitable for contoso.com and fabrikam.com, but you need to be more careful with adatum.com where sign-in information and payments are handled. You can apply a per-site policy to the adatum listener and leave the SQL rules running. Also assume there's a cookie blocking some traffic, so you can create an exclusion for that cookie to stop the false positive.
45
+
This global policy is suitable for contoso.com and fabrikam.com, but you need to be more careful with adatum.com where sign-in information and payments are handled. You can apply a per-site policy to the Adatum listener and leave the SQL rules running. Also assume there's a cookie blocking some traffic, so you can create an exclusion for that cookie to stop the false positive.
46
46
47
47
The adatum.com/payments URI is where you need to be careful. So apply another policy on that URI and leave all rules enabled, and also remove all exclusions.
48
48
49
49
In this example, you have a global policy that applies to two sites. You have a per-site policy that applies to one site, and then a per-URI policy that applies to one specific path-based rule. See [Configure per-site WAF policies using Azure PowerShell](per-site-policies.md) for the corresponding PowerShell for this example.
50
50
51
51
## Existing WAF configurations
52
52
53
-
All new Web Application Firewall's WAF settings (custom rules, managed rule set configurations, exclusions, and so on.) exist in a WAF policy. If you have an existing WAF, these settings may still exist in your WAF configuration. For more information about moving to the new WAF policy, [Migrate WAF Config to a WAF Policy](./migrate-policy.md).
53
+
All new Web Application Firewall's WAF settings (custom rules, managed rule set configurations, exclusions, and so on) exist in a WAF policy. If you have an existing WAF, these settings might still exist in your WAF configuration. For more information about moving to the new WAF policy, [Migrate WAF Config to a WAF Policy](./migrate-policy.md).
0 commit comments