Refer to the below document.
Create an application gateway with a Web Application Firewall using the Azure portal
Create Web Application Firewall policies for Application Gateway
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview
When you associate a WAF policy globally, every site behind your Application Gateway WAF is protected with the same managed rules, custom rules, exclusions, and any other configured settings.
If you want a single policy to apply to all sites, you can associate the policy with the application gateway. For more information
see Create Web Application Firewall policies for Application Gateway to create and apply a WAF policy using the Azure portal.
If the Answer is helpful, please click Accept Answer
and up-vote, this can be beneficial to other community members.