Skip to main content
Back to the Azure Footguns Database
SecurityMediumCommonAZF-0091

A WAF policy stuck in Detection mode logs every attack and blocks none of them

Azure WAF policies start life in Detection mode, which monitors and logs matching requests but blocks nothing. The flip to Prevention is a manual step that routinely never happens.

Footgun ID
AZF-0091 (Azure Footgun No. 91)
Azure service
Azure Web Application Firewall
Resource type
Microsoft.Network/frontdoorWebApplicationFirewallPolicies
Updated
July 9, 2026

What it is

A Web Application Firewall policy whose policySettings.mode is Detection instead of Prevention. In Detection mode the WAF evaluates every rule, writes every match to the logs, and then forwards the request to the backend anyway. This applies to both WAF policy types — Front Door policies and Application Gateway policies carry the identical mode setting — so the WAF you deployed, and on some tiers pay for, is watching attacks go by.

Impact (security)
The WAF is visibility only: matched attacks are written to the logs and delivered to the backend anyway
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Detection mode exists for a good reason: new WAF policies are created in Detection by default so you can tune the rules against real traffic before anything legitimate gets blocked. Microsoft's own guidance is to start there. The footgun is the second half of that plan — someone has to come back, review the logs, resolve the false positives, and flip the mode to Prevention. That step has no deadline, no owner, and no reminder.

Meanwhile everything about the deployment says "done." The policy shows Enabled, the managed rule sets are attached, the WAF dashboard fills with matched-rule activity. A review that checks "is there a WAF?" passes. Only policySettings.mode says the control is in rehearsal, and it says it quietly.

What it costs / blast radius

Operationally, Detection mode is equivalent to having no WAF in front of the request path: SQL injection, XSS, and known-CVE exploit attempts that match the rules are logged and then delivered to your application. (Azure behavior; authored assessment.)

The subtler damage is misplaced confidence. The architecture diagram shows a WAF, the logs prove it is matching attacks, and everyone downstream reasonably assumes those attacks were stopped. If the backend is compromised through a request the WAF matched and forwarded, the logs will show your firewall watched it happen. Tuning first is correct — a mode flip nobody scheduled is the failure.

See it

Footgun: mode Detection — every rule evaluated, nothing blocked
resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2024-02-01' = {
  name: 'corpEdgeWaf'
  location: 'Global'
  sku: {
    name: 'Premium_AzureFrontDoor'
  }
  properties: {
    policySettings: {
      enabledState: 'Enabled'
      mode: 'Detection'   // logs matches, then forwards them to the backend
    }
    managedRules: {
      managedRuleSets: [
        {
          ruleSetType: 'Microsoft_DefaultRuleSet'
          ruleSetVersion: '2.1'
          ruleSetAction: 'Block'   // ignored until the mode is Prevention
        }
      ]
    }
  }
}
Fix: tune against real traffic, then flip the mode to Prevention
resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2024-02-01' = {
  name: 'corpEdgeWaf'
  location: 'Global'
  sku: {
    name: 'Premium_AzureFrontDoor'
  }
  properties: {
    policySettings: {
      enabledState: 'Enabled'
      mode: 'Prevention'   // matched requests are now actually blocked
    }
    managedRules: {
      managedRuleSets: [
        {
          ruleSetType: 'Microsoft_DefaultRuleSet'
          ruleSetVersion: '2.1'
          ruleSetAction: 'Block'
        }
      ]
    }
  }
}
// Application Gateway WAF policies
// (Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies)
// carry the same policySettings.mode — flip it the same way.

How StratoLens helps

StratoLens flags every WAF policy still running in Detection mode — Front Door and Application Gateway alike — automatically and continuously, across every subscription, inside your own tenant. The tuning phase that quietly became permanent stops hiding behind a dashboard full of matched rules.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.