Sitecore Managed Cloud customers who want to protect their Sitecore XP application from common web vulnerabilities and attacks can create a Setup Web Application Firewall (WAF) Service Request. This article outlines what Managed Cloud customers need to know about the technical implementation of the WAF.
For more details on the Azure Application Gateway and WAF products and how they work to secure a Sitecore Content Delivery server, see these details.
Once the Service Request is made to the Managed Cloud team, the following items must be provided. These can be included in the Service Request form or the engineer completing the setup will request them from the customer:
The following notes outline timing and the overall process followed by the Sitecore Managed Cloud team in completing this Service Request:
After the WAF has been configured by the Managed Cloud team, the following details will be provided to the customer in the Service Request ticket:
The Sitecore Managed Cloud team provides Limited Support for Managed Cloud Standard customers using the Azure WAF product with their Sitecore implementation. This Limited Support scope includes the Azure WAF component with either Azure Application Gateway or Azure Front Door:
|Activity||Supported||Not Supported, Customer Responsibility|
|Initial WAF setup and integration with Sitecore CD role in standard Sitecore topologies.||✓|
|Configure HTTP and HTTPS Listeners||✓|
|Configure WAF logging to App Insights||✓|
|Configure Azure App Insights Dashboard to visualize basic WAF metrics on customer request||✓|
|Configure Detection or Prevention mode for the WAF||✓|
|Decide if WAF should be in Detection or Prevention mode based on evaluation of WAF logging and validation of all Sitecore CD functionality||✓|
|Troubleshooting Sitecore application challenges related to WAF ||✓
|Manage WAF settings such as rulesets, policies, and listeners in addition to HTTP/HTTPS||✓|
|Decide on appropriate WAF settings such as rulesets, policies, and listeners for their implementation||✓|
|Adjust WAF scale units according to capacity and needs||✓|
|DNS changes necessary to redirect from your Azure Sitecore CD to the new Public IP||✓|
|Update WAF ping tests after DNS changes have propagated||✓|
|Assistance with production incidents related to WAF ||✓|
|Provide PFX certificates for Sitecore CD role||✓|
|Update WAF certificate changes||✓|
 In MCS, the customer is responsible for how the Sitecore application functions, and adding a WAF can impact a customer's implementation. It is the customer's responsibility to troubleshoot such challenges. The Sitecore MCS team is available to assist and may be able to help identify problem areas, but ultimately this lies with customers who have full access to their implementation source code and full context on how their Sitecore CD role operates.
 The monitoring and evaluation of potential WAF security incidents are the responsibility of the customer. Sitecore recommends that the customer engages with security professionals with the understanding of their business and security protocols to interpret such events. The Sitecore MCS team is available to assist and may, by leveraging our relationship with Microsoft, be in a position to contribute to resolutions. The primary responsibility, however, lies with the customer.