Hello @純一 井関 ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know if it is possible to disassociate WAF policies from Azure Application gateway.
As mentioned in the official doc and pointed out by you, "You may overwrite that policy, but disassociating a policy from the WAF entirely isn't supported."
If you try to remove an only associated WAF policy from Application gateway, it will fail with the below warning/error:
"Deselect application gateway(s). To disassociate the selected application gateway, associate the gateway to a different WAF policy."
So, in order to disassociate an existing WAF policy, you need to have another WAF policy which would override or take the old WAF policy's place.
We do have Azure CLI and Azure PowerShell commands to delete/remove an existing WAF policy but if a WAF policy is associated with an Application gateway, you cannot delete it. The command will fail with the below error:
"FirewallPolicyCannotBeDeleted since it is still allocated to resource Application gateway."
As per our Product Group team, we do not support removing an associated policy from a WAF_v2 SKU application gateway. But either of the following can be done as a workaround:
1) Disabling an attached global policy and replacing it with a listener/path associated WAF policy. The disabled global policy will not be enforced and the customer can configure any policies they want at listener/path scope. This new WAF policy will only impact a specific listener or path.
2) Or redeploy the application gateway using the following steps, (Be advised this will change the SKU of the gateway during the steps):
a) through REST/template deployment, change the application gateway SKU to Standard_v2 and remove all the WAF-configuration and policies.
b) Change the SKU to a WAF_v2 gateway and then configure the policies and waf-configs if needed.
Or the last solution would be to delete the existing application gateway and create a new one.
This feature of disassociating WAF policies is currently under review by our Product group team. You can upvote the feature in the below feedback forum:
https://feedback.azure.com/d365community/idea/eeece364-f925-ec11-b6e6-000d3a4f06a4
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.