Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Web Application Firewall supports a defined set of managed ruleset versions to ensure strong security protections, predictable behavior, and a clear upgrade path for customers. Azure manages the Default Rule Set (DRS), selected Core Rule Set (CRS) versions, Bot Management and HTTP DDoS rulesets, and periodically releases new rule set versions that include new protections, updated signatures, and rule improvements.
Azure Web Application Firewall supports a defined set of managed ruleset versions to ensure strong security protections, predictable behavior, and a clear upgrade path for customers. Azure manages the Default Rule Set (DRS), Bot Management, and HTTP DDoS rulesets versions and periodically releases new rule set versions that include new protections, updated signatures, and rule improvements.
Supported versions
Starting February 2026, Azure WAF actively supports the latest three ruleset releases in the following format:
N: Latest available rule set version (for example, DRS 2.2)
N-1: Previous rule set version (for example, DRS 2.1)
- N-2: Second previous rule set version (for example, CRS 3.2)
- N-2: Second previous rule set version (for example, DRS 2.0)
Only N, N-1, and N-2 versions are supported for general use and receive ongoing updates, improvements, and rule tuning from the Azure WAF team.
Extended support for older rule sets
When a newer rule set version (N) is released to general availability, the ruleset that becomes N-3 will enter a final support phase:
- Once the newer ruleset version (N) is released, new Azure WAF policies can't be created with the N-3 version, and any existing WAF policies with the N-3 version can't be attached.
- Once the newer ruleset version (N) is released, new Azure WAF policies can't be created with the N-3 version.
The N-3 version continues to be supported for 12 months from the release date of the new N rule set, for existing WAF policies only. During these 12 months period, the N-3 version is eligible to receive only critical security updates.
After the 12-month period, the N-3 version will no longer be supported. It won't receive any further updates, fixes, or support from the support team.
This rolling support window helps ensure that users have ample time to plan and migrate to supported versions while maintaining a clear lifecycle for managed rule sets.
Upgrade recommendations
Users are encouraged to:
Use the latest rule set version (N) where possible to benefit from the most current protections and rule coverage.
Plan upgrades early, taking advantage of the 12-month final support period for older rule sets.
- Review Upgrade CRS or DRS ruleset version for breaking changes, added rules, and tuning guidance when moving between major rule set versions.
Warning
Failure to upgrade beyond the final support period might expose applications to unpatched vulnerabilities and reduced managed rule coverage.
Ruleset support schedule
The following tables summarize the current support status and planned end of support dates for managed rulesets of Azure WAF on Application Gateway:
The following tables summarize the current support status and planned end of support dates for managed rulesets of Azure WAF on Front Door:
Default rulesets
| Ruleset version | Release date | Support status | Support end date |
|---|---|---|---|
| DRS 2.2 | February 2026 | Supported | Not defined yet |
| DRS 2.1 | October 2023 | Supported | Not defined yet |
| CRS 3.2 | August 2021 | Supported | Not defined yet. Support ends one year after the release of the first DRS version newer than DRS 2.2 |
| CRS 3.1 CRS 3.0 |
N/A | Supported | February 26, 2027 |
| CRS 2.2.9 | N/A | Not supported | March 15, 2025 |
| Ruleset version | Release date | Support status | Support end date |
|---|---|---|---|
| DRS 2.2 | February 2026 | Supported | Not defined yet |
| DRS 2.1 | October 2023 | Supported | Not defined yet |
| DRS 2.0 | August 2021 | Supported | Not defined yet. Support ends one year after the release of the first DRS version newer than DRS 2.2 |
| DRS 1.2 DRS 1.1 DRS 1.0 |
N/A | Supported | February 26, 2027 |
Bot management ruleset
| Ruleset version | Release date | Support status | Support end date |
|---|---|---|---|
| Bot Management 1.1 | October 2024 | Supported | Not defined yet |
| Bot Management 1.0 | July 2021 | Supported | Not defined yet |
| Bot Management 0.1 | N/A | Not supported | Preview version - not supported |
HTTP DDoS ruleset
| Ruleset version | Release date | Support status | Support end date |
|---|---|---|---|
| HTTP DDoS Ruleset 1.0 | November 2025 | Supported | Not defined yet |
| Ruleset version | Release date | Support status | Support end date |
|---|---|---|---|
| Bot Management 1.1 | October 2024 | Supported | Not defined yet |
| Bot Management 1.0 | July 2021 | Supported | Not defined yet |