Azure App Gateway WAF ruleset

FraserHand · ‎03-08-2020

Hi There,

Is there a rule set availability for ArcGIS Enterprise deployments deployed in Azure behind an App Gateway with WAF enabled? Can these be loaded via the custom rule set functionality? Looking for some official Esri documentation if it is around.

Thanks!

JYI · ‎10-30-2020

We have the same question. Since we deployed enterprise ArcGIS onto Azure, with the network structure like Internet -> Traffic Manager -> App Gateway -> Filewall -> VMs, there have been inaccessible issues with some services, especially when using Dashboards with some secured feature services. Cloud team is asking for such WAF policy profile rule set provided by ESRI that can be downloaded.

BenWalker1 · ‎05-17-2021

Did you ever get any information from Esri

JYI · ‎11-02-2021

So far no... It seems that we have moved away from traffic manager. The infrastructure is changed to use FortiGate.. How this will have effect on the WAF policy not known yet until next year when migrating to the new env.

JYI · ‎12-14-2021

ESRI support just sent me the document which is available in December only, entitled "ArcGIS Enterprise Web Application Filter Rules". It says "This is required reading if you are implementing a WAF." To us, "OWASP Core Ruleset Guidance" is the most important part that we have been waiting for, although Azure team is not happy with so many rules that need to be disabled. 🙂 It also says "do not distribute or post publicly" so ask ESRI support for it.