Share via


az network application-gateway waf-policy managed-rule rule-set

Manage managed rule set of managed rules of a WAF policy.

Commands

Name Description Type Status
az network application-gateway waf-policy managed-rule rule-set add

Add managed rule set to the WAF policy managed rules. For rule set and rules, please visit: https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules.

Core GA
az network application-gateway waf-policy managed-rule rule-set list

List all managed rule set.

Core GA
az network application-gateway waf-policy managed-rule rule-set remove

Remove a managed rule set by rule set group name if rule_group_name is specified. Otherwise, remove all rule set.

Core GA
az network application-gateway waf-policy managed-rule rule-set update

Manage rules of a WAF policy. If --group-name and --rules are provided, override existing rules. If --group-name is provided, clear all rules under a certain rule group. If neither of them are provided, update rule set and clear all rules under itself. For rule set and rules, please visit: https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules.

Core GA

az network application-gateway waf-policy managed-rule rule-set add

Add managed rule set to the WAF policy managed rules. For rule set and rules, please visit: https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules.

az network application-gateway waf-policy managed-rule rule-set add --policy-name
                                                                    --resource-group
                                                                    --type {Microsoft_BotManagerRuleSet, OWASP}
                                                                    --version {0.1, 1.0, 2.1, 2.2.9, 3.0, 3.1, 3.2}
                                                                    [--group-name]
                                                                    [--rule]

Examples

Disable an attack protection rule

az network application-gateway waf-policy managed-rule rule-set add --policy-name MyPolicy -g MyResourceGroup --type OWASP --version 3.1 --group-name REQUEST-921-PROTOCOL-ATTACK --rule rule-id=921110

Add managed rule set to the WAF policy managed rules (autogenerated)

az network application-gateway waf-policy managed-rule rule-set add --policy-name MyPolicy --resource-group MyResourceGroup --type Microsoft_BotManagerRuleSet --version 0.1

Required Parameters

--policy-name

The name of the web application firewall policy.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--type

The type of the web application firewall rule set.

Accepted values: Microsoft_BotManagerRuleSet, OWASP
--version

The version of the web application firewall rule set type. 0.1 and 1.0 are used for Microsoft_BotManagerRuleSet.

Accepted values: 0.1, 1.0, 2.1, 2.2.9, 3.0, 3.1, 3.2

Optional Parameters

--group-name

The name of the web application firewall rule set group.

--rule

The rule that will be disabled. If none specified, all rules in the group will be disabled. If provided, --group-name must be provided too.

Usage: --rule rule-id=MyID state=MyState action=MyAction Multiple rules can be specified by using more than one --rule argument.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network application-gateway waf-policy managed-rule rule-set list

List all managed rule set.

az network application-gateway waf-policy managed-rule rule-set list --policy-name
                                                                     --resource-group

Examples

List all managed rule set. (autogenerated)

az network application-gateway waf-policy managed-rule rule-set list --policy-name MyPolicy --resource-group MyResourceGroup

Required Parameters

--policy-name

The name of the web application firewall policy.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network application-gateway waf-policy managed-rule rule-set remove

Remove a managed rule set by rule set group name if rule_group_name is specified. Otherwise, remove all rule set.

az network application-gateway waf-policy managed-rule rule-set remove --policy-name
                                                                       --resource-group
                                                                       --type {Microsoft_BotManagerRuleSet, OWASP}
                                                                       --version {0.1, 1.0, 2.1, 2.2.9, 3.0, 3.1, 3.2}
                                                                       [--group-name]

Examples

Remove a managed rule set by rule set group name if rule_group_name is specified. Otherwise, remove all rule set.

az network application-gateway waf-policy managed-rule rule-set remove --policy-name MyPolicy --resource-group MyResourceGroup --type OWASP --version 3.1

Required Parameters

--policy-name

The name of the web application firewall policy.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--type

The type of the web application firewall rule set.

Accepted values: Microsoft_BotManagerRuleSet, OWASP
--version

The version of the web application firewall rule set type. 0.1 and 1.0 are used for Microsoft_BotManagerRuleSet.

Accepted values: 0.1, 1.0, 2.1, 2.2.9, 3.0, 3.1, 3.2

Optional Parameters

--group-name

The name of the web application firewall rule set group.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network application-gateway waf-policy managed-rule rule-set update

Manage rules of a WAF policy. If --group-name and --rules are provided, override existing rules. If --group-name is provided, clear all rules under a certain rule group. If neither of them are provided, update rule set and clear all rules under itself. For rule set and rules, please visit: https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules.

az network application-gateway waf-policy managed-rule rule-set update --policy-name
                                                                       --resource-group
                                                                       --type {Microsoft_BotManagerRuleSet, OWASP}
                                                                       --version {0.1, 1.0, 2.1, 2.2.9, 3.0, 3.1, 3.2}
                                                                       [--group-name]
                                                                       [--rule]

Examples

Override rules under rule group EQUEST-921-PROTOCOL-ATTACK

az network application-gateway waf-policy managed-rule rule-set update --policy-name MyPolicy -g MyResourceGroup --type OWASP --version 3.1 --group-name REQUEST-921-PROTOCOL-ATTACK --rule rule-id=921130 --rule rule-id=921160

Update the OWASP protocol version from 3.1 to 3.0 which will clear the old rules

az network application-gateway waf-policy managed-rule rule-set update --policy-name MyPolicy -g MyResourceGroup --type OWASP --version 3.0

Required Parameters

--policy-name

The name of the web application firewall policy.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--type

The type of the web application firewall rule set.

Accepted values: Microsoft_BotManagerRuleSet, OWASP
--version

The version of the web application firewall rule set type. 0.1 and 1.0 are used for Microsoft_BotManagerRuleSet.

Accepted values: 0.1, 1.0, 2.1, 2.2.9, 3.0, 3.1, 3.2

Optional Parameters

--group-name

The name of the web application firewall rule set group.

--rule

The rule that will be disabled. If none specified, all rules in the group will be disabled. If provided, --group-name must be provided too.

Usage: --rule rule-id=MyID state=MyState action=MyAction Multiple rules can be specified by using more than one --rule argument.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.