az network front-door waf-policy
Note
This reference is part of the front-door extension for the Azure CLI (version 2.67.0 or higher). The extension will automatically install the first time you run an az network front-door waf-policy command. Learn more about extensions.
Manage WebApplication Firewall (WAF) policies.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az network front-door waf-policy create |
Create policy with specified rule set name within a resource group. |
Extension | GA |
| az network front-door waf-policy delete |
Delete Policy. |
Extension | GA |
| az network front-door waf-policy list |
List all of the protection policies within a resource group. |
Extension | GA |
| az network front-door waf-policy managed-rule-definition |
Learn about available managed rule sets. |
Extension | GA |
| az network front-door waf-policy managed-rule-definition list |
Show a detailed list of available managed rule sets. |
Extension | GA |
| az network front-door waf-policy managed-rules |
Change and view managed rule sets associated with your WAF policy. |
Extension | GA |
| az network front-door waf-policy managed-rules add |
Add a managed rule set to a WAF policy. |
Extension | GA |
| az network front-door waf-policy managed-rules exclusion |
View and alter exclusions on a managed rule set, rule group, or rule within a managed rule set. |
Extension | GA |
| az network front-door waf-policy managed-rules exclusion add |
Add an exclusion on a managed rule set, rule group, or rule within a managed rule set. |
Extension | GA |
| az network front-door waf-policy managed-rules exclusion list |
List the exclusions on managed rule set, rule group, or rule within a managed rule set. |
Extension | GA |
| az network front-door waf-policy managed-rules exclusion remove |
Remove an exclusion on a managed rule set, rule group, or rule within a managed rule set. |
Extension | GA |
| az network front-door waf-policy managed-rules list |
Show which managed rule sets are applied to a WAF policy. |
Extension | GA |
| az network front-door waf-policy managed-rules override |
View and alter overrides on managed rules within a managed rule set. |
Extension | GA |
| az network front-door waf-policy managed-rules override add |
Add an override on a managed rule within a managed rule set. |
Extension | GA |
| az network front-door waf-policy managed-rules override list |
List the overrides on managed rules within a managed rule set. |
Extension | GA |
| az network front-door waf-policy managed-rules override remove |
Remove an override on a managed rule within a managed rule set. |
Extension | GA |
| az network front-door waf-policy managed-rules remove |
Remove a managed rule set from a WAF policy. |
Extension | GA |
| az network front-door waf-policy rule |
Manage WAF policy custom rules. |
Extension | GA |
| az network front-door waf-policy rule create |
Create a WAF policy custom rule. Use --defer and add a rule match-condition. |
Extension | GA |
| az network front-door waf-policy rule delete |
Delete a WAF policy custom rule. |
Extension | GA |
| az network front-door waf-policy rule list |
List WAF policy custom rules. |
Extension | GA |
| az network front-door waf-policy rule match-condition |
Alter match-conditions associated with a WAF policy custom rule. |
Extension | GA |
| az network front-door waf-policy rule match-condition add |
Add a match-condition to a WAF policy custom rule. |
Extension | GA |
| az network front-door waf-policy rule match-condition list |
Show all match-conditions associated with a WAF policy custom rule. |
Extension | GA |
| az network front-door waf-policy rule match-condition remove |
Remove a match-condition from a WAF policy custom rule. |
Extension | GA |
| az network front-door waf-policy rule show |
Get the details of a WAF policy custom rule. |
Extension | GA |
| az network front-door waf-policy rule update |
Alter the details of a WAF policy custom rule. |
Extension | GA |
| az network front-door waf-policy show |
Get protection policy with specified name within a resource group. |
Extension | GA |
| az network front-door waf-policy update |
Update policy with specified rule set name within a resource group. |
Extension | GA |
| az network front-door waf-policy wait |
Place the CLI in a waiting state until a condition is met. |
Extension | GA |
az network front-door waf-policy create
Create policy with specified rule set name within a resource group.
az network front-door waf-policy create --name --policy-name
--resource-group
[--captcha-expiration-in-minutes]
[--custom-block-response-body]
[--custom-block-response-status-code]
[--custom-rules]
[--disabled {0, 1, f, false, n, no, t, true, y, yes}]
[--etag]
[--javascript-challenge-expiration-in-minutes --js-expiration]
[--location]
[--log-scrubbing]
[--managed-rules]
[--mode {Detection, Prevention}]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--redirect-url]
[--request-body-check {Disabled, Enabled}]
[--sku {Classic_AzureFrontDoor, Premium_AzureFrontDoor, Standard_AzureFrontDoor}]
[--tags]Required Parameters
The name of the Web Application Firewall Policy.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Defines the Captcha cookie validity lifetime in minutes. This setting is only applicable to Premium_AzureFrontDoor. Value must be an integer between 5 and 1440 with the default value being 30.
| Property | Value |
|---|---|
| Parameter group: | PolicySettings Arguments |
If the action type is block, customer can override the response body. The body must be specified in base64 encoding.
| Property | Value |
|---|---|
| Parameter group: | PolicySettings Arguments |
If the action type is block, customer can override the response status code.
| Property | Value |
|---|---|
| Parameter group: | PolicySettings Arguments |
Describes custom rules inside the policy. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Create in a disabled state.
| Property | Value |
|---|---|
| Default value: | False |
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
Gets a unique read-only string that changes whenever the resource is updated.
| Property | Value |
|---|---|
| Parameter group: | Parameters Arguments |
Defines the JavaScript challenge cookie validity lifetime in minutes. Value must be an integer between 5 and 1440 with the default value being 30.
| Property | Value |
|---|---|
| Parameter group: | PolicySettings Arguments |
Resource location.
| Property | Value |
|---|---|
| Parameter group: | Parameters Arguments |
Defines rules that scrub sensitive fields in the Web Application Firewall logs. Example: --log-scrubbing "{scrubbing-rules:[{match-variable:QueryStringArgNames,selector-match-operator:EqualsAny}],state:Enabled}, --log-scrubbing scrubbing-rules=[] state=Disabled, --log-scrubbing null Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | PolicySettings Arguments |
Describes managed rules inside the policy. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Describes if it is in detection mode or prevention mode at policy level.
| Property | Value |
|---|---|
| Parameter group: | PolicySettings Arguments |
| Accepted values: | Detection, Prevention |
Do not wait for the long-running operation to finish.
| Property | Value |
|---|---|
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
If action type is redirect, this field represents redirect URL for the client.
| Property | Value |
|---|---|
| Parameter group: | PolicySettings Arguments |
Describes if policy managed rules will inspect the request body content.
| Property | Value |
|---|---|
| Parameter group: | PolicySettings Arguments |
| Accepted values: | Disabled, Enabled |
Name of the pricing tier.
| Property | Value |
|---|---|
| Parameter group: | Sku Arguments |
| Default value: | Premium_AzureFrontDoor |
| Accepted values: | Classic_AzureFrontDoor, Premium_AzureFrontDoor, Standard_AzureFrontDoor |
Resource tags. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Parameters Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az network front-door waf-policy delete
Delete Policy.
az network front-door waf-policy delete [--ids]
[--name --policy-name]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--resource-group]
[--subscription]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
The name of the Web Application Firewall Policy.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Do not wait for the long-running operation to finish.
| Property | Value |
|---|---|
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az network front-door waf-policy list
List all of the protection policies within a resource group.
az network front-door waf-policy list --resource-group
[--max-items]
[--next-token]Required Parameters
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Total number of items to return in the command's output. If the total number of items available is more than the value specified, a token is provided in the command's output. To resume pagination, provide the token value in --next-token argument of a subsequent command.
| Property | Value |
|---|---|
| Parameter group: | Pagination Arguments |
Token to specify where to start paginating. This is the token value from a previously truncated response.
| Property | Value |
|---|---|
| Parameter group: | Pagination Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az network front-door waf-policy show
Get protection policy with specified name within a resource group.
az network front-door waf-policy show [--ids]
[--name --policy-name]
[--resource-group]
[--subscription]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
The name of the Web Application Firewall Policy.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az network front-door waf-policy update
Update policy with specified rule set name within a resource group.
az network front-door waf-policy update [--add]
[--captcha-expiration-in-minutes]
[--custom-block-response-body]
[--custom-block-response-status-code]
[--custom-rules]
[--disabled {0, 1, f, false, n, no, t, true, y, yes}]
[--etag]
[--force-string {0, 1, f, false, n, no, t, true, y, yes}]
[--ids]
[--javascript-challenge-expiration-in-minutes --js-expiration]
[--location]
[--log-scrubbing]
[--managed-rules]
[--mode {Detection, Prevention}]
[--name --policy-name]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--redirect-url]
[--remove]
[--request-body-check {Disabled, Enabled}]
[--resource-group]
[--set]
[--sku {Classic_AzureFrontDoor, Premium_AzureFrontDoor, Standard_AzureFrontDoor}]
[--subscription]
[--tags]Examples
update log scrubbing
az network front-door waf-policy update -g rg -n n1 --log-scrubbing "{scrubbing-rules:[{match-variable:QueryStringArgNames,selector-match-operator:EqualsAny}],state:Enabled}"
az network front-door waf-policy update -g rg -n n1 --log-scrubbing scrubbing-rules[1]="{match-variable:RequestUri,selector-match-operator:Equals}"
az network front-door waf-policy update -g rg -n n1 --log-scrubbing "{scrubbing-rules:[{match-variable:RequestBodyJsonArgNames,selector-match-operator:EqualsAny}],state:Enabled}" scrubbing-rules[1]="{match-variable:RequestUri,selector-match-operator:EqualsAny}"Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
Defines the Captcha cookie validity lifetime in minutes. This setting is only applicable to Premium_AzureFrontDoor. Value must be an integer between 5 and 1440 with the default value being 30.
| Property | Value |
|---|---|
| Parameter group: | PolicySettings Arguments |
If the action type is block, customer can override the response body. The body must be specified in base64 encoding.
| Property | Value |
|---|---|
| Parameter group: | PolicySettings Arguments |
If the action type is block, customer can override the response status code.
| Property | Value |
|---|---|
| Parameter group: | PolicySettings Arguments |
Describes custom rules inside the policy. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Create in a disabled state.
| Property | Value |
|---|---|
| Default value: | False |
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
Gets a unique read-only string that changes whenever the resource is updated.
| Property | Value |
|---|---|
| Parameter group: | Parameters Arguments |
When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Defines the JavaScript challenge cookie validity lifetime in minutes. Value must be an integer between 5 and 1440 with the default value being 30.
| Property | Value |
|---|---|
| Parameter group: | PolicySettings Arguments |
Resource location.
| Property | Value |
|---|---|
| Parameter group: | Parameters Arguments |
Defines rules that scrub sensitive fields in the Web Application Firewall logs. Example: --log-scrubbing "{scrubbing-rules:[{match-variable:QueryStringArgNames,selector-match-operator:EqualsAny}],state:Enabled}, --log-scrubbing scrubbing-rules=[] state=Disabled, --log-scrubbing null Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | PolicySettings Arguments |
Describes managed rules inside the policy. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Describes if it is in detection mode or prevention mode at policy level.
| Property | Value |
|---|---|
| Parameter group: | PolicySettings Arguments |
| Accepted values: | Detection, Prevention |
The name of the Web Application Firewall Policy.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Do not wait for the long-running operation to finish.
| Property | Value |
|---|---|
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
If action type is redirect, this field represents redirect URL for the client.
| Property | Value |
|---|---|
| Parameter group: | PolicySettings Arguments |
Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
Describes if policy managed rules will inspect the request body content.
| Property | Value |
|---|---|
| Parameter group: | PolicySettings Arguments |
| Accepted values: | Disabled, Enabled |
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
Name of the pricing tier.
| Property | Value |
|---|---|
| Parameter group: | Sku Arguments |
| Accepted values: | Classic_AzureFrontDoor, Premium_AzureFrontDoor, Standard_AzureFrontDoor |
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Resource tags. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Parameters Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az network front-door waf-policy wait
Place the CLI in a waiting state until a condition is met.
az network front-door waf-policy wait [--created]
[--custom]
[--deleted]
[--exists]
[--ids]
[--interval]
[--name --policy-name]
[--resource-group]
[--subscription]
[--timeout]
[--updated]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Wait until created with 'provisioningState' at 'Succeeded'.
| Property | Value |
|---|---|
| Parameter group: | Wait Condition Arguments |
| Default value: | False |
Wait until the condition satisfies a custom JMESPath query. E.g. provisioningState!='InProgress', instanceView.statuses[?code=='PowerState/running'].
| Property | Value |
|---|---|
| Parameter group: | Wait Condition Arguments |
Wait until deleted.
| Property | Value |
|---|---|
| Parameter group: | Wait Condition Arguments |
| Default value: | False |
Wait until the resource exists.
| Property | Value |
|---|---|
| Parameter group: | Wait Condition Arguments |
| Default value: | False |
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Polling interval in seconds.
| Property | Value |
|---|---|
| Parameter group: | Wait Condition Arguments |
| Default value: | 30 |
The name of the Web Application Firewall Policy.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Maximum wait in seconds.
| Property | Value |
|---|---|
| Parameter group: | Wait Condition Arguments |
| Default value: | 3600 |
Wait until updated with provisioningState at 'Succeeded'.
| Property | Value |
|---|---|
| Parameter group: | Wait Condition Arguments |
| Default value: | False |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
