使用 Azure PowerShell 升级 Web 应用程序防火墙策略
通过使用此脚本,可以方便地将 WAF config 或仅包含自定义规则的 WAF 策略转换为完整的 WAF 策略。 门户中可能会出现一则警告,显示“升级到 WAF 策略”,或者用户可能想要使用新的 WAF 功能,如 Geomatch 自定义规则、每个站点的 WAF 策略、每个 URI 的 WAF 策略或机器人缓解规则集。 如需使用其中任意一种功能,需要有与应用程序网关关联的完整 WAF 策略。
有关创建新的 WAF 策略的详细信息,请参阅创建应用程序网关的 Web 应用程序防火墙策略。 有关迁移的信息,请参阅升级到 WAF 策略。
使用迁移脚本升级到 WAF 策略
采用以下步骤运行迁移脚本:
- 将脚本复制到 PowerShell 窗口中并运行它。
- 该脚本要求提供订阅 ID、资源组名称、与 WAF config 关联的应用程序网关的名称,以及创建的新 WAF 策略的名称。 输入这些信息后,脚本会运行并创建新的 WAF 策略
- 验证新的 WAF 策略是否与应用程序网关相关联。 转到门户中的 WAF 策略,并选择“关联的应用程序网关”选项卡。确认应用程序网关与 WAF 策略关联。
注意
如果存在以下情况,则该脚本不会完成迁移:
- 整个规则集将被禁用。 如需完成迁移,请确保未禁用整个规则组。
有关详细信息,请参阅脚本中的 ValidateInput 函数。
<#PSScriptInfo
.DESCRIPTION
Will be used to upgrade to the application-gateway to a top level waf policy experience.
.VERSION 1.0
.GUID b6fedd43-ebd0-41ed-9847-4f1c1c43be22
.AUTHOR Venkat.Krishnan
.PARAMETER subscriptionId
Subscription Id of where the resources are present.
.PARAMETER resourceGroupName
Resource-group where the resources are present.
.PARAMETER applicationGatewayName
Application-Gateway name
.PARAMETER wafPolicyName
Name of the web application firewall policy
.EXAMPLE
./migrateToWafPolicy.ps1 -subscriptionId <your-subscription-id> -applicationGatewayName <your-appgw-name> -resourceGroupName <your-resource-group-name> -wafPolicyName <new-waf-policy-name>
#>
param(
[Parameter(Mandatory=$true)]
[string] $subscriptionId,
[Parameter(Mandatory=$true)]
[string] $resourceGroupName,
[Parameter(Mandatory=$true)]
[string] $applicationGatewayName,
[Parameter(Mandatory=$true)]
[string] $wafPolicyName
)
function ValidateInput ($appgwName, $resourceGroupName) {
# Obtain the application-gateway
$appgw = Get-AzApplicationGateway -Name $applicationGatewayName -ResourceGroupName $resourceGroupName
if (-not $appgw) {
Write-Error "ApplicationGateway: $applicationGatewayName is not present in ResourceGroup: $resourceGroupName"
return $false
}
# Check if already have a global firewall policy
if ($appgw.FirewallPolicy) {
$fp = Get-AzResource -ResourceId $appgw.FirewallPolicy.Id
if ($fp.PolicySettings) {
Write-Error "ApplicationGateway: $applicationGatewayName already has a global firewall policy: $fp.Name. Please use portal for changing the policy."
return $false
}
}
if ($appgw.WebApplicationFirewallConfiguration) {
# Throw an error, since ruleGroup disabled case can't be migrated now.
if ($appgw.WebApplicationFirewallConfiguration.DisabledRuleGroups) {
foreach ($disabled in $appgw.WebApplicationFirewallConfiguration.DisabledRuleGroups) {
if ($disabled.Rules.Count -eq 0) {
$ruleGroupName = $disabled.RuleGroupName
Write-Error "The ruleGroup '$ruleGroupName' is disabled. Currently we can't upgrade to a firewall policy when an entire ruleGroup is disabled. This feature will be delivered shortly. To continue, kindly ensure the entire rulegroups are not disabled. "
return $false
}
}
}
}
if ($appgw.Sku.Name -ne "WAF_v2" -or $appgw.Sku.Tier -ne "WAF_v2") {
Write-Error " Cannot associate a firewall policy to application gateway :$applicationGatewayName since the Sku is not on WAF_v2"
return $false
}
return $true
}
function Login() {
$context = Get-AzContext
if ($null -eq $context -or $null -eq $context.Account) {
Connect-AzAccount -Environment AzureChinaCloud
}
}
function createNewTopLevelWafPolicy ($subscriptionId, $resourceGroupName, $applicationGatewayName, $wafPolicyName) {
Select-AzSubscription -Subscription $subscriptionId
$retVal = ValidateInput -appgwName $applicationGatewayName -resourceGroupName $resourceGroupName
if (!$retVal) {
return
}
$appgw = Get-AzApplicationGateway -Name $applicationGatewayName -ResourceGroupName $resourceGroupName
# Get the managedRule and PolicySettings
$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule
$policySetting = New-AzApplicationGatewayFirewallPolicySetting
if ($appgw.WebApplicationFirewallConfiguration) {
$ruleGroupOverrides = [System.Collections.ArrayList]@()
if ($appgw.WebApplicationFirewallConfiguration.DisabledRuleGroups) {
foreach ($disabled in $appgw.WebApplicationFirewallConfiguration.DisabledRuleGroups) {
$rules = [System.Collections.ArrayList]@()
if ($disabled.Rules.Count -gt 0) {
foreach ($rule in $disabled.Rules) {
$ruleOverride = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -RuleId $rule
$_ = $rules.Add($ruleOverride)
}
}
$ruleGroupOverride = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride -RuleGroupName $disabled.RuleGroupName -Rule $rules
$_ = $ruleGroupOverrides.Add($ruleGroupOverride)
}
}
$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType $appgw.WebApplicationFirewallConfiguration.RuleSetType -RuleSetVersion $appgw.WebApplicationFirewallConfiguration.RuleSetVersion
if ($ruleGroupOverrides.Count -ne 0) {
$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType $appgw.WebApplicationFirewallConfiguration.RuleSetType -RuleSetVersion $appgw.WebApplicationFirewallConfiguration.RuleSetVersion -RuleGroupOverride $ruleGroupOverrides
}
$exclusions = [System.Collections.ArrayList]@()
if ($appgw.WebApplicationFirewallConfiguration.Exclusions) {
foreach ($excl in $appgw.WebApplicationFirewallConfiguration.Exclusions) {
if ($excl.MatchVariable -and $excl.SelectorMatchOperator -and $excl.Selector) {
$exclusionEntry = New-AzApplicationGatewayFirewallPolicyExclusion -MatchVariable $excl.MatchVariable -SelectorMatchOperator $excl.SelectorMatchOperator -Selector $excl.Selector
$_ = $exclusions.Add($exclusionEntry)
}
if ($excl.MatchVariable -and !$excl.SelectorMatchOperator -and !$excl.Selecto) {
# Equals Any exclusion
$exclusionEntry = New-AzApplicationGatewayFirewallPolicyExclusion -MatchVariable $excl.MatchVariable -SelectorMatchOperator "EqualsAny" -Selector "*"
$_ = $exclusions.Add($exclusionEntry)
}
}
}
$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet
$exclCount = $exclusions.Count
if ($exclCount -ne 0) {
$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet -Exclusion $exclusions
}
$policySetting = New-AzApplicationGatewayFirewallPolicySetting -MaxFileUploadInMb $appgw.WebApplicationFirewallConfiguration.FileUploadLimitInMb -MaxRequestBodySizeInKb $appgw.WebApplicationFirewallConfiguration.MaxRequestBodySizeInKb -Mode Detection -State Disabled
if ($appgw.WebApplicationFirewallConfiguration.FirewallMode -eq "Prevention") {
$policySetting.Mode = "Prevention"
}
if ($appgw.WebApplicationFirewallConfiguration.Enabled) {
$policySetting.State = "Enabled"
}
$policySetting.RequestBodyCheck = $appgw.WebApplicationFirewallConfiguration.RequestBodyCheck;
}
if ($appgw.FirewallPolicy) {
$customRulePolicyId = $appgw.FirewallPolicy.Id
$rg = Get-AzResourceGroup -Id $customRulePolicyId
$crPolicyName = $customRulePolicyId.Substring($customRulePolicyId.LastIndexOf("/") + 1)
$customRulePolicy = Get-AzApplicationGatewayFirewallPolicy -ResourceGroupName $rg.ResourceGroupName -Name $crPolicyName
$wafPolicy = New-AzApplicationGatewayFirewallPolicy -ResourceGroupName $rg.ResourceGroupName -Name $wafPolicyName -CustomRule $customRulePolicy.CustomRules -ManagedRule $managedRule -PolicySetting $policySetting -Location $appgw.Location
} else {
$wafPolicy = New-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $resourceGroupName -PolicySetting $policySetting -ManagedRule $managedRule -Location $appgw.Location
}
if (!$wafPolicy) {
return
}
$appgw.WebApplicationFirewallConfiguration = $null
$appgw.FirewallPolicy = $wafPolicy
$appgw = Set-AzApplicationGateway -ApplicationGateway $appgw
Write-Host " firewallPolicy: $wafPolicyName has been created/updated successfully and applied to applicationGateway: $applicationGatewayName!"
return $wafPolicy
}
function Main() {
Login
$policy = createNewTopLevelWafPolicy -subscriptionId $subscriptionId -resourceGroupName $resourceGroupName -applicationGatewayName $applicationGatewayName -wafPolicyName $wafPolicyName
return $policy
}
Main