az network application-gateway waf-config

Configure the settings of a web application firewall.

These commands are only applicable to application gateways with an SKU type of WAF. To learn more, visit https://docs.microsoft.com/azure/application-gateway/application-gateway-web-application-firewall-cli.

Commands

az network application-gateway waf-config list-rule-sets

Get information on available WAF rule sets, rule groups, and rule IDs.

az network application-gateway waf-config set

Update the firewall configuration of a web application.

az network application-gateway waf-config show

Get the firewall configuration of a web application.

az network application-gateway waf-config list-rule-sets

Get information on available WAF rule sets, rule groups, and rule IDs.

az network application-gateway waf-config list-rule-sets [--group]
                                                         [--subscription]
                                                         [--type]
                                                         [--version]

Examples

List available rule groups in OWASP type rule sets.

az network application-gateway waf-config list-rule-sets --type OWASP

List available rules in the OWASP 3.0 rule set.

az network application-gateway waf-config list-rule-sets --group '*' --type OWASP --version 3.0

List available rules in the `crs_35_bad_robots` rule group.

az network application-gateway waf-config list-rule-sets --group crs_35_bad_robots

List available rules in table format.

az network application-gateway waf-config list-rule-sets -o table

Optional Parameters

--group

List rules for the specified rule group. Use \* to list rules for all groups. Omit to suppress listing individual rules.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--type

Rule set type to list. Omit to list all types.

--version

Rule set version to list. Omit to list all versions.

az network application-gateway waf-config set

Update the firewall configuration of a web application.

This command is only applicable to application gateways with an SKU type of WAF. To learn more, visit https://docs.microsoft.com/azure/application-gateway/application-gateway-web-application-firewall-cli.

az network application-gateway waf-config set --enabled {false, true}
                                              [--disabled-rule-groups]
                                              [--disabled-rules]
                                              [--exclusion]
                                              [--file-upload-limit]
                                              [--firewall-mode {Detection, Prevention}]
                                              [--gateway-name]
                                              [--ids]
                                              [--max-request-body-size]
                                              [--no-wait]
                                              [--request-body-check {false, true}]
                                              [--resource-group]
                                              [--rule-set-type]
                                              [--rule-set-version]
                                              [--subscription]

Examples

Configure WAF on an application gateway in detection mode with default values

az network application-gateway waf-config set -g MyResourceGroup --gateway-name MyAppGateway \
    --enabled true --firewall-mode Detection --rule-set-version 3.0

Disable rules for validation of request body parsing and SQL injection.

az network application-gateway waf-config set -g MyResourceGroup --gateway-name MyAppGateway \
    --enabled true --rule-set-type OWASP --rule-set-version 3.0 \
    --disabled-rule-groups REQUEST-942-APPLICATION-ATTACK-SQLI \
    --disabled-rules 920130 920140

Configure WAF on an application gateway with exclusions.

az network application-gateway waf-config set -g MyResourceGroup --gateway-name MyAppGateway \
    --enabled true --firewall-mode Detection --rule-set-version 3.0 \
    --exclusion "RequestHeaderNames StartsWith x-header" \
    --exclusion "RequestArgNames Equals IgnoreThis"

Required Parameters

--enabled

Specify whether the application firewall is enabled.

accepted values: false, true

Optional Parameters

--disabled-rule-groups

Space-separated list of rule groups to disable. To disable individual rules, use --disabled-rules.

value from: az network application-gateway waf-config list-rule-sets
--disabled-rules

Space-separated list of rule IDs to disable.

value from: az network application-gateway waf-config list-rule-sets
--exclusion

Add an exclusion expression to the WAF check.

--file-upload-limit

File upload size limit in MB.

--firewall-mode

Web application firewall mode.

accepted values: Detection, Prevention
default value: Detection
--gateway-name

Name of the application gateway.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--max-request-body-size

Max request body size in KB.

--no-wait

Do not wait for the long-running operation to finish.

--request-body-check

Allow WAF to check the request body.

accepted values: false, true
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--rule-set-type

Rule set type.

default value: OWASP
value from: az network application-gateway waf-config list-rule-sets
--rule-set-version

Rule set version.

value from: az network application-gateway waf-config list-rule-sets
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az network application-gateway waf-config show

Get the firewall configuration of a web application.

az network application-gateway waf-config show [--gateway-name]
                                               [--ids]
                                               [--query-examples]
                                               [--resource-group]
                                               [--subscription]

Examples

Get the firewall configuration of a web application.

az network application-gateway waf-config show -g MyResourceGroup --gateway-name MyAppGateway

Optional Parameters

--gateway-name

Name of the application gateway.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--query-examples

Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.