Is it possible to disassociate WAF policies?(WAFポリシーの関連付けの解除が可能か)

純一 井関 21 Reputation points
2022-05-09T00:08:26.44+00:00

https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/create-waf-policy-ag
The MSDoc states "You may overwrite that policy, but disassociating a policy from the WAF entirely isn't supported."
MSDocに「このポリシーは上書きできますが、WAF からのポリシーの関連付け解除は完全にはサポートされていません。」という記述があります。

199975-image.png

What exactly does this mean?
I believe the operation in the portal allows us to delete the WAF policy associations.
I am wondering what the impact remains after deleting a WAF policy that is only used for a certain period of time.
これが意味することは具体的にはどういうことでしょうか?
ポータルでの操作ではWAFポリシーの関連付けを削除できると思います。
一定期間のみ使用するWAFポリシーを削除した後に、どういった影響が残るのかを気にしています。
200036-image.png

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,007 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 49,371 Reputation points Microsoft Employee
    2022-05-09T10:13:34.073+00:00

    Hello @純一 井関 ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know if it is possible to disassociate WAF policies from Azure Application gateway.

    As mentioned in the official doc and pointed out by you, "You may overwrite that policy, but disassociating a policy from the WAF entirely isn't supported."

    If you try to remove an only associated WAF policy from Application gateway, it will fail with the below warning/error:
    "Deselect application gateway(s). To disassociate the selected application gateway, associate the gateway to a different WAF policy."

    200246-image.png

    So, in order to disassociate an existing WAF policy, you need to have another WAF policy which would override or take the old WAF policy's place.

    We do have Azure CLI and Azure PowerShell commands to delete/remove an existing WAF policy but if a WAF policy is associated with an Application gateway, you cannot delete it. The command will fail with the below error:
    "FirewallPolicyCannotBeDeleted since it is still allocated to resource Application gateway."

    200235-image.png

    As per our Product Group team, we do not support removing an associated policy from a WAF_v2 SKU application gateway. But either of the following can be done as a workaround:

    1) Disabling an attached global policy and replacing it with a listener/path associated WAF policy. The disabled global policy will not be enforced and the customer can configure any policies they want at listener/path scope. This new WAF policy will only impact a specific listener or path.
    2) Or redeploy the application gateway using the following steps, (Be advised this will change the SKU of the gateway during the steps):
    a) through REST/template deployment, change the application gateway SKU to Standard_v2 and remove all the WAF-configuration and policies.
    b) Change the SKU to a WAF_v2 gateway and then configure the policies and waf-configs if needed.

    Or the last solution would be to delete the existing application gateway and create a new one.

    This feature of disassociating WAF policies is currently under review by our Product group team. You can upvote the feature in the below feedback forum:
    https://feedback.azure.com/d365community/idea/eeece364-f925-ec11-b6e6-000d3a4f06a4

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Ofer Bezalel 1 Reputation point
    2023-01-08T20:02:00.923+00:00

    $SubscriptionId = 'xxxx'
    $ResourceGroupName = 'dt-proxy-stg-australiaeast'
    $GatewayName = 'datatube-ps-stg-australiaeast-gateway'
    Connect-AzAccount -Subscription $SubscriptionId
    $appGw = Get-AzApplicationGateway -ResourceGroupName $ResourceGroupName -Name $GatewayName
    $appGw.FirewallPolicy = $null
    $appGw.Sku.Name = 'Standard_v2'
    $appGw.Sku.Tier = 'Standard_v2'
    $appGw.WebApplicationFirewallConfiguration = $null
    $appGW.ForceFirewallPolicyAssociation = $true
    Set-AzApplicationGateway -ApplicationGateway $AppGw

    0 comments No comments