Is it possible to disassociate WAF policies?（WAFポリシーの関連付けの解除が可能か）

Question

question

03771941 asked May 9, '22 GitaraniSharmaMSFT-4262 edited May 9, '22

Is it possible to disassociate WAF policies?（WAFポリシーの関連付けの解除が可能か）

https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/create-waf-policy-ag
The MSDoc states "You may overwrite that policy, but disassociating a policy from the WAF entirely isn't supported."
MSDocに「このポリシーは上書きできますが、WAF からのポリシーの関連付け解除は完全にはサポートされていません。」という記述があります。

What exactly does this mean?
I believe the operation in the portal allows us to delete the WAF policy associations.
I am wondering what the impact remains after deleting a WAF policy that is only used for a certain period of time.
これが意味することは具体的にはどういうことでしょうか？
ポータルでの操作ではWAFポリシーの関連付けを削除できると思います。
一定期間のみ使用するWAFポリシーを削除した後に、どういった影響が残るのかを気にしています。

azure-application-gateway

image.png (44.7 KiB)

image.png (129.6 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-05-09T10:13:34.073Z

GitaraniSharmaMSFT-4262 answered May 9, '22 GitaraniSharmaMSFT-4262 edited May 9, '22

Hello @03771941 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to know if it is possible to disassociate WAF policies from Azure Application gateway.

As mentioned in the official doc and pointed out by you, "You may overwrite that policy, but disassociating a policy from the WAF entirely isn't supported."

If you try to remove an only associated WAF policy from Application gateway, it will fail with the below warning/error:
"Deselect application gateway(s). To disassociate the selected application gateway, associate the gateway to a different WAF policy."

So, in order to disassociate an existing WAF policy, you need to have another WAF policy which would override or take the old WAF policy's place.

We do have Azure CLI and Azure PowerShell commands to delete/remove an existing WAF policy but if a WAF policy is associated with an Application gateway, you cannot delete it. The command will fail with the below error:
"FirewallPolicyCannotBeDeleted since it is still allocated to resource Application gateway."

As per our Product Group team, we do not support removing an associated policy from a WAF_v2 SKU application gateway. But either of the following can be done as a workaround:

1) Disabling an attached global policy and replacing it with a listener/path associated WAF policy. The disabled global policy will not be enforced and the customer can configure any policies they want at listener/path scope. This new WAF policy will only impact a specific listener or path.
2) Or redeploy the application gateway using the following steps, (Be advised this will change the SKU of the gateway during the steps):
a) through REST/template deployment, change the application gateway SKU to Standard_v2 and remove all the WAF-configuration and policies.
b) Change the SKU to a WAF_v2 gateway and then configure the policies and waf-configs if needed.

Or the last solution would be to delete the existing application gateway and create a new one.

This feature of disassociating WAF policies is currently under review by our Product group team. You can upvote the feature in the below feedback forum:
https://feedback.azure.com/d365community/idea/eeece364-f925-ec11-b6e6-000d3a4f06a4

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

image.png (58.5 KiB)

image.png (468.7 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

question