Share via


az network application-gateway waf-config

Configure the settings of a web application firewall.

These commands are only applicable to application gateways with an SKU type of WAF. To learn more, visit https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/tutorial-restrict-web-traffic-cli.

Commands

Name Description Type Status
az network application-gateway waf-config list-dynamic-rule-sets

List the regional application gateway waf manifest.

Core GA
az network application-gateway waf-config list-rule-sets

Get information on available WAF rule sets, rule groups, and rule IDs.

Core GA
az network application-gateway waf-config set

Update the firewall configuration of a web application.

Core GA
az network application-gateway waf-config show

Get the firewall configuration of a web application.

Core GA

az network application-gateway waf-config list-dynamic-rule-sets

List the regional application gateway waf manifest.

az network application-gateway waf-config list-dynamic-rule-sets --location
                                                                 [--max-items]
                                                                 [--next-token]

Examples

List application gateway waf manifest in the regional.

az network application-gateway waf-config list-dynamic-rule-sets -l  westus

Required Parameters

--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

Optional Parameters

--max-items

Total number of items to return in the command's output. If the total number of items available is more than the value specified, a token is provided in the command's output. To resume pagination, provide the token value in --next-token argument of a subsequent command.

--next-token

Token to specify where to start paginating. This is the token value from a previously truncated response.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network application-gateway waf-config list-rule-sets

Get information on available WAF rule sets, rule groups, and rule IDs.

az network application-gateway waf-config list-rule-sets [--group]
                                                         [--type]
                                                         [--version]

Examples

List available rule groups in OWASP type rule sets.

az network application-gateway waf-config list-rule-sets --type OWASP

List available rules in the OWASP 3.0 rule set.

az network application-gateway waf-config list-rule-sets --group '*' --type OWASP --version 3.0

List available rules in the `crs_35_bad_robots` rule group.

az network application-gateway waf-config list-rule-sets --group crs_35_bad_robots

List available rules in table format.

az network application-gateway waf-config list-rule-sets -o table

Optional Parameters

--group

List rules for the specified rule group. Use * to list rules for all groups. Omit to suppress listing individual rules.

--type

Rule set type to list. Omit to list all types.

--version

Rule set version to list. Omit to list all versions.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network application-gateway waf-config set

Update the firewall configuration of a web application.

This command is only applicable to application gateways with an SKU type of WAF. To learn more, visit https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/tutorial-restrict-web-traffic-cli.

az network application-gateway waf-config set --enabled {false, true}
                                              [--disabled-rule-groups]
                                              [--disabled-rules]
                                              [--exclusion]
                                              [--file-upload-limit]
                                              [--firewall-mode {detection, prevention}]
                                              [--gateway-name]
                                              [--ids]
                                              [--max-request-body-size]
                                              [--no-wait]
                                              [--request-body-check {false, true}]
                                              [--resource-group]
                                              [--rule-set-type]
                                              [--rule-set-version]
                                              [--subscription]

Examples

Configure WAF on an application gateway in detection mode with default values

az network application-gateway waf-config set -g MyResourceGroup --gateway-name MyAppGateway --enabled true --firewall-mode Detection --rule-set-version 3.0

Disable rules for validation of request body parsing and SQL injection.

az network application-gateway waf-config set -g MyResourceGroup --gateway-name MyAppGateway --enabled true --rule-set-type OWASP --rule-set-version 3.0 --disabled-rule-groups REQUEST-942-APPLICATION-ATTACK-SQLI --disabled-rules 920130 920140

Configure WAF on an application gateway with exclusions.

az network application-gateway waf-config set -g MyResourceGroup --gateway-name MyAppGateway --enabled true --firewall-mode Detection --rule-set-version 3.0 --exclusion "RequestHeaderNames StartsWith x-header" --exclusion "RequestArgNames Equals IgnoreThis"

Required Parameters

--enabled

Specify whether the application firewall is enabled.

Accepted values: false, true

Optional Parameters

--disabled-rule-groups

Space-separated list of rule groups to disable. To disable individual rules, use --disabled-rules.

Value from: az network application-gateway waf-config list-rule-sets
--disabled-rules

Space-separated list of rule IDs to disable.

Value from: az network application-gateway waf-config list-rule-sets
--exclusion

Add an exclusion expression to the WAF check.

Usage: --exclusion VARIABLE OPERATOR VALUE

Multiple exclusions can be specified by using more than one --exclusion argument.

--file-upload-limit

File upload size limit in MB.

--firewall-mode

Web application firewall mode.

Accepted values: detection, prevention
Default value: detection
--gateway-name

Name of the application gateway.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--max-request-body-size

Max request body size in KB.

--no-wait

Do not wait for the long-running operation to finish.

Default value: False
--request-body-check

Allow WAF to check the request body.

Accepted values: false, true
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--rule-set-type

Rule set type.

Default value: OWASP
Value from: az network application-gateway waf-config list-rule-sets
--rule-set-version

Rule set version.

Value from: az network application-gateway waf-config list-rule-sets
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network application-gateway waf-config show

Get the firewall configuration of a web application.

az network application-gateway waf-config show [--gateway-name]
                                               [--ids]
                                               [--resource-group]
                                               [--subscription]

Examples

Get the firewall configuration of a web application.

az network application-gateway waf-config show -g MyResourceGroup --gateway-name MyAppGateway

Optional Parameters

--gateway-name

Name of the application gateway.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.