Azure WAF Policy - Add custom rules with Rest API call

Question

Azure WAF Policy - Add custom rules with Rest API call

mx-oss 61

Hi,

I am trying to update a current WAF policy attached to an AppGw by using the Rest API, but I am facing an issue by updating the policy

I am using the REST API method documented here : https://learn.microsoft.com/en-us/rest/api/application-gateway/web-application-firewall-policies/create-or-update

and I am sending the HTTP PUT request with the HTTP connector :

However, when I am updating the policy for adding a custom rule (to block a Bad IP), all the existing custom rules are also removed.

Can I add a custom rule without erasing the existing rules by using the Rest API?
any example from the azure github that I could use for my need ?

thank you for your help
Regards,
Mx

krishna raj 0 Reputation points

2024-03-01T06:19:27.28+00:00
@MayankBargali-MSFT Hello, I encountered a similar issue where updating (adding an IP) to a custom rule resulted in the deletion of other custom rules. However, I managed to add the IP to the specific custom rule by following these steps:

Retrieve all custom rules using a GET API call.

Modify the response body obtained from step 1 to include the IP in the specific custom rule.

Perform a create/update operation with the modified request body containing all custom rules. My question is, is there a method/way to update only the specific custom rule without including information about other custom rules in the request body?

Thanks in Advance.

Accepted answer

0 additional answers

Your answer

krishna raj 0 Reputation points

2024-03-01T06:19:27.28+00:00

@MayankBargali-MSFT Hello, I encountered a similar issue where updating (adding an IP) to a custom rule resulted in the deletion of other custom rules. However, I managed to add the IP to the specific custom rule by following these steps:

Retrieve all custom rules using a GET API call.

Modify the response body obtained from step 1 to include the IP in the specific custom rule.

Perform a create/update operation with the modified request body containing all custom rules. My question is, is there a method/way to update only the specific custom rule without including information about other custom rules in the request body?

Thanks in Advance.

Answer 1

MayankBargali-MSFT 70,906 Moderator

@mx-oss Thanks for reaching out. You can call the Web Application Firewall Policies - Get API in your logic app to verify if the Policy is already created. If yes then you need to get the customRules parameter from the response of Get API. Initialize the array variable and assign the customRules parameter parse value and then add your new custom rule to this array.
Pass the new array to your Update Policy API.

Workflow:
Web Application Firewall Policies Policy --> Parse the Json --> Add new custom role to the array --> Web Application Firewall Policies Create/Update Policy

Note: Please handle the error/exception scenario as per your responses.

Feel free to get back to me if you need any assistance.

Update 1/31:
I have created the test workflow with HTTP trigger and you can refer to the code view of my workflow for your reference.

Workflow:
Http Trigger --> Http with Azure AD (Web Application Firewall Policies Policy) --> Compose Action (to get your input customRules) --> Parse the Json (the output of get call) --> Compose Action (to create the request body for your PUT operation) --> Http with Azure AD (to update the the Web Application Firewall Policies)

The above is for reference and you can modify the action, add/remove different actions and update the request body as per your requirement.

mx-oss 61 Reputation points

2022-01-27T13:25:01.923+00:00

Thank you very much for your feedback.

Do you have any code exemple that I could use to inspire myself ?

I believe that it will be great to have a connector similar to the Azure Firewall connector.
Are you aware if a new connector will be release soon to manage the WAF policies ?
MayankBargali-MSFT 70,906 Reputation points Moderator

2022-01-31T06:28:23.287+00:00

@mx-oss I couldn't see any Azure Firewall connector as per the connector document list. Looks like you might be using the custom connector that someone might have created or I have missed something. Please correct me if my understanding. Further, I don't see any work in progress for any Azure Firewall connector.

I have updated my answer with one of the ways you can implement your workflow.
Maxime ROMERO - Ing 6 Reputation points

2022-01-31T13:33:57.243+00:00

Hi,

here the link to the Azure FW connector :
https://techcommunity.microsoft.com/t5/azure-network-security-blog/automated-detection-and-response-for-azure-firewall-with-the-new/ba-p/2414224

this connector simplifies the update to the an IP Group in order to block an malicious IP :
MayankBargali-MSFT 70,906 Reputation points Moderator

2022-01-31T13:56:56.94+00:00

@mx-oss Thanks for sharing the article. This is the custom connector (i.e. customer connector and not the logic app in build/azure connector) that the Azure Sentinel team has created. As per the Azure Sentinel Playbooks I don't see any other custom connector to manage the WAF policies. You can create a new Issue (Feature request) here to verify if there are any custom connectors that are planned to manage the WAF policies in the future.

Alternatively, you can always create a custom connector like AzureFirewall and create the pull request so it can be shared across all the users looking to manage the WAF policies.
If you don't want to create a custom connector then you can always use different actions to achieve the same in your workflow as one of the ways that I have shared.
Maxime ROMERO - Ing 6 Reputation points

2022-02-07T21:11:34.37+00:00

Hi,

I have one more question related to the union operation

When I am performing the union between an existing custom rule and a new custom rule, I got the following error : "message": "Subscription /subscriptions/XXXXX is not registered for feature Custom Rule Rate Limiting required to carry out the requested operation.

The issue seems to happen because the parameter "rateLimitThreshold": 0 is present (from the existing custom rule)

I don't understand why I got this error because this parameter already exists in the WAF policy

Is it something that you are previously encountered ?
MayankBargali-MSFT 70,906 Reputation points Moderator

2022-02-09T07:24:41.467+00:00

@Maxime ROMERO - Ing The error is coming from the Application gateway REST API. It looks like there is some network feature that is not registered on your subscription for which you are trying to perform the operation.
Can you confirm if the error is coming while you call the Application gateway REST API? If this is the case then try to register the Network feature and if it didn't help then I will suggest you to create a new Q&A post with the application gateway tag so the experts from the application gateway can confirm which feature need to register on your subscription to make the API call.
Maxime ROMERO - Ing 6 Reputation points

2022-02-12T16:38:37.02+00:00

Hi,

Actually, I got this error when I am performing the Web Application Firewall Policies Update Policy by using the following query :

"method": "PUT",
"url": "https://management.azure.com/subscriptions/{yoursubscriptionID}/resourceGroups/{resourcegroup}/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/{policyname}?api-version=2021-03-01"

"location": "@Tomas Podoba ('Parse_JSON')?['location']",
"properties": {
"customRules": "@union(body('Parse_JSON')?['properties']?['customRules'],outputs('New_customRules'))",
"managedRules": "@Tomas Podoba ('Parse_JSON')?['properties']?['managedRules']",
"policySettings": "@Tomas Podoba ('Parse_JSON')?['properties']?['policySettings']"
}

Does something is not correct ?
MayankBargali-MSFT 70,906 Reputation points Moderator

2022-02-14T10:12:54.467+00:00

@Maxime ROMERO - Ing Thanks that's what I was suspecting. Can you get the body request from your run history and try to execute the same here. The application gateway expert can confirm if there is any feature that is not enabled from your subscription that is throwing the error : Subscription /subscriptions/XXXXX is not registered for feature Custom Rule Rate. I will wait for the application gateway expert to comment on this.
MayankBargali-MSFT 70,906 Reputation points Moderator

2022-02-18T09:34:31.953+00:00
@Maxime ROMERO - Ing I had a discussion with the application gateway team and get the confirmation that rateLimitThreshold is currently not supported by Application Gateway but this is something the product team is planning to in the near future. But the Get call does return this rateLimitThreshold field. Therefore when we tried to call the Update API you receive the error "Subscription /subscriptions/XXXXX is not registered for feature Custom Rule Rate" as currently rateLimitThreshold is only supported with web application firewall policy.

Therefore you need to remove the rateLimitThreshold property from the Get output response and make sure that you are not passing this field as it is not supported yet.
So you need to add a few more actions to remove the field as below:

Initialize array variable --> loop in through the output of custom roles from Get API --> Append to the new element after removing the rateLimitThreshold property --> union of new variable and your custom input

removeProperty(item(),'rateLimitThreshold') union(variables('customRules'),outputs('New_customRules'))
Maxime ROMERO - Ing 6 Reputation points

2022-02-21T14:00:43.797+00:00

thank you very much for the detailled answer.

I will try that for sure !
Maxime ROMERO - Ing 6 Reputation points

2022-02-22T20:46:39.363+00:00

Hi,

I tried to remove the properties 'rateLimitThreshold' with the method mentionned but this method is working only for a properties located to 1st level in the JSON

I tried anoother method to go further but I am not able to go up to the properties : 'rateLimitThreshold'

I was able to remove the customRules properties with this method :
removeProperty(items('For_each_5')['properties'],'customRules')

Do you know another method to achieve the removal of 'rateLimitThreshold' ?
MayankBargali-MSFT 70,906 Reputation points Moderator

2022-02-23T12:22:25.26+00:00

@Maxime ROMERO - Ing Can you respond to my private comment with the sample output and input you are passing as I didn't face any issue with the repro at my end. The sample output/input will help me so I can share what else condition needs to be added or we can connect offline for a faster resolution.

Share via

Azure WAF Policy - Add custom rules with Rest API call

0 additional answers

Your answer