🛡️ Azure Application Gateway Min SSL protocol version is not TLSv1_2🟢

Contextual name: 🛡️ Application Gateway Min SSL protocol version is not TLSv1_2🟢
ID: /ce/ca/azure/application-gateway/gateway-ssl-protocol-version
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 Azure Application Gateway
- 🔌 Azure Application Gateway - object.extracts.yaml
- 🧪 test-data.json

Description

Description

This policy identifies Azure Application Gateways that utilize outdated TLS protocols. The TLS (Transport Layer Security) protocol secures the transmission of data over the internet using standard encryption technology. Application gateways use TLS 1.2 for the Min protocol version by default and allow for the use of TLS versions 1.0, 1.1, and 1.3. NIST strongly suggests the use of TLS 1.2 and recommends the adoption of TLS 1.3.

Rationale

TLS 1.0 and 1.1 are outdated and vulnerable to security risks. Since TLS 1.2 and TLS 1.3 provide enhanced security and improved performance, it is highly recommended to use TLS 1.2 or higher whenever possible.

Impact

Using the latest TLS version may affect compatibility with clients and backend services.

Audit

This policy flags an Azure Application Gateway as INCOMPLIANT if it Min protocol version is less than TLSv1_2.

Default Value

Min protocol version is set to TLSv1_2 by default.

References

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview

... see more

Remediation

Open File

Remediation

From Azure Portal

Go to Application gateways.

Click the name of an application gateway.

Under Settings, click Listeners.

Under SSL Policy, next to the Selected SSL Policy name, click change.

Select an appropriate SSL policy with a Min protocol version of TLSv1_2 or higher.

Click Save.

Repeat steps 1-6 for each application gateway requiring remediation.

From Azure CLI

Run the following command to list available SSL policy options:
az network application-gateway ssl-policy list-options
Run the following command to list available predefined SSL policies:
az network application-gateway ssl-policy predefined list
For each application gateway requiring remediation, run the following command to set a predefined SSL policy:
az network application-gateway ssl-policy set /
    --resource-group {{resource-group}} /
    --gateway-name {{application-gateway}} /
    --name {{ssl-policy}} /
    --policy-type Predefined
Alternatively, run the following command to set a custom SSL policy:

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v5.0.0 → 💼 7.12 Ensure the SSL policy's 'Min protocol version' is set to 'TLSv1_2' or higher on Azure Application Gateway (Automated)			1		no data
💼 Cloudaware Framework → 💼 Data Encryption			67		no data

Logic​

Description​

Description​

Rationale​

Impact​

Audit​

Default Value​

References​

Remediation​

Remediation​

From Azure Portal​

From Azure CLI​

policy.yaml​

Linked Framework Sections​

Logic

Description

Description

Rationale

Impact

Audit

Default Value

References

Remediation

Remediation

From Azure Portal

From Azure CLI

policy.yaml

Linked Framework Sections