@mx-oss Thanks for reaching out. You can call the Web Application Firewall Policies - Get API in your logic app to verify if the Policy is already created. If yes then you need to get the customRules parameter from the response of Get API. Initialize the array variable and assign the customRules parameter parse value and then add your new custom rule to this array.
Pass the new array to your Update Policy API.
Workflow:
Web Application Firewall Policies Policy --> Parse the Json --> Add new custom role to the array --> Web Application Firewall Policies Create/Update Policy
Note: Please handle the error/exception scenario as per your responses.
Feel free to get back to me if you need any assistance.
Update 1/31:
I have created the test workflow with HTTP trigger and you can refer to the code view of my workflow for your reference.
Workflow:
Http Trigger --> Http with Azure AD (Web Application Firewall Policies Policy) --> Compose Action (to get your input customRules) --> Parse the Json (the output of get call) --> Compose Action (to create the request body for your PUT operation) --> Http with Azure AD (to update the the Web Application Firewall Policies)
The above is for reference and you can modify the action, add/remove different actions and update the request body as per your requirement.
@mx-oss I couldn't see any Azure Firewall connector as per the connector document list. Looks like you might be using the custom connector that someone might have created or I have missed something. Please correct me if my understanding. Further, I don't see any work in progress for any Azure Firewall connector.
I have updated my answer with one of the ways you can implement your workflow.
Hi,
here the link to the Azure FW connector :
https://techcommunity.microsoft.com/t5/azure-network-security-blog/automated-detection-and-response-for-azure-firewall-with-the-new/ba-p/2414224
this connector simplifies the update to the an IP Group in order to block an malicious IP :
@mx-oss Thanks for sharing the article. This is the custom connector (i.e. customer connector and not the logic app in build/azure connector) that the Azure Sentinel team has created. As per the Azure Sentinel Playbooks I don't see any other custom connector to manage the WAF policies. You can create a new Issue (Feature request) here to verify if there are any custom connectors that are planned to manage the WAF policies in the future.
Alternatively, you can always create a custom connector like AzureFirewall and create the pull request so it can be shared across all the users looking to manage the WAF policies.
If you don't want to create a custom connector then you can always use different actions to achieve the same in your workflow as one of the ways that I have shared.
Hi,
I have one more question related to the union operation
When I am performing the union between an existing custom rule and a new custom rule, I got the following error : "message": "Subscription /subscriptions/XXXXX is not registered for feature Custom Rule Rate Limiting required to carry out the requested operation.
The issue seems to happen because the parameter "rateLimitThreshold": 0 is present (from the existing custom rule)
I don't understand why I got this error because this parameter already exists in the WAF policy
Is it something that you are previously encountered ?
@Maxime ROMERO - Ing The error is coming from the Application gateway REST API. It looks like there is some network feature that is not registered on your subscription for which you are trying to perform the operation.
Can you confirm if the error is coming while you call the Application gateway REST API? If this is the case then try to register the Network feature and if it didn't help then I will suggest you to create a new Q&A post with the application gateway tag so the experts from the application gateway can confirm which feature need to register on your subscription to make the API call.
Hi,
Actually, I got this error when I am performing the Web Application Firewall Policies Update Policy by using the following query :
"method": "PUT",
"url": "https://management.azure.com/subscriptions/{yoursubscriptionID}/resourceGroups/{resourcegroup}/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/{policyname}?api-version=2021-03-01"
"location": "@Tomas Podoba ('Parse_JSON')?['location']",
"properties": {
"customRules": "@union(body('Parse_JSON')?['properties']?['customRules'],outputs('New_customRules'))",
"managedRules": "@Tomas Podoba ('Parse_JSON')?['properties']?['managedRules']",
"policySettings": "@Tomas Podoba ('Parse_JSON')?['properties']?['policySettings']"
}
Does something is not correct ?
@Maxime ROMERO - Ing Thanks that's what I was suspecting. Can you get the body request from your run history and try to execute the same here. The application gateway expert can confirm if there is any feature that is not enabled from your subscription that is throwing the error : Subscription /subscriptions/XXXXX is not registered for feature Custom Rule Rate. I will wait for the application gateway expert to comment on this.
@Maxime ROMERO - Ing I had a discussion with the application gateway team and get the confirmation that
rateLimitThreshold
is currently not supported by Application Gateway but this is something the product team is planning to in the near future. But the Get call does return this rateLimitThreshold field. Therefore when we tried to call the Update API you receive the error "Subscription /subscriptions/XXXXX is not registered for feature Custom Rule Rate" as currently rateLimitThreshold is only supported with web application firewall policy.Therefore you need to remove the rateLimitThreshold property from the Get output response and make sure that you are not passing this field as it is not supported yet.
So you need to add a few more actions to remove the field as below:
Initialize array variable --> loop in through the output of custom roles from Get API --> Append to the new element after removing the rateLimitThreshold property --> union of new variable and your custom input
thank you very much for the detailled answer.
I will try that for sure !
Hi,
I tried to remove the properties 'rateLimitThreshold' with the method mentionned but this method is working only for a properties located to 1st level in the JSON
I tried anoother method to go further but I am not able to go up to the properties : 'rateLimitThreshold'
I was able to remove the customRules properties with this method :
removeProperty(items('For_each_5')['properties'],'customRules')
Do you know another method to achieve the removal of 'rateLimitThreshold' ?
@Maxime ROMERO - Ing Can you respond to my private comment with the sample output and input you are passing as I didn't face any issue with the repro at my end. The sample output/input will help me so I can share what else condition needs to be added or we can connect offline for a faster resolution.
Sign in to comment
0 additional answers
Sort by: Most helpful