az network application-gateway waf-config
Configure the settings of a web application firewall.
These commands are only applicable to application gateways with an SKU type of WAF. To learn more, visit https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/tutorial-restrict-web-traffic-cli.
Commands
Name | Description | Type | Status |
---|---|---|---|
az network application-gateway waf-config list-dynamic-rule-sets |
List the regional application gateway waf manifest. |
Core | GA |
az network application-gateway waf-config list-rule-sets |
Get information on available WAF rule sets, rule groups, and rule IDs. |
Core | GA |
az network application-gateway waf-config set |
Update the firewall configuration of a web application. |
Core | GA |
az network application-gateway waf-config show |
Get the firewall configuration of a web application. |
Core | GA |
az network application-gateway waf-config list-dynamic-rule-sets
List the regional application gateway waf manifest.
az network application-gateway waf-config list-dynamic-rule-sets --location
[--max-items]
[--next-token]
Examples
List application gateway waf manifest in the regional.
az network application-gateway waf-config list-dynamic-rule-sets -l westus
Required Parameters
Location. Values from: az account list-locations
. You can configure the default location using az configure --defaults location=<location>
.
Optional Parameters
Total number of items to return in the command's output. If the total number of items available is more than the value specified, a token is provided in the command's output. To resume pagination, provide the token value in --next-token
argument of a subsequent command.
Token to specify where to start paginating. This is the token value from a previously truncated response.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az network application-gateway waf-config list-rule-sets
Get information on available WAF rule sets, rule groups, and rule IDs.
az network application-gateway waf-config list-rule-sets [--group]
[--type]
[--version]
Examples
List available rule groups in OWASP type rule sets.
az network application-gateway waf-config list-rule-sets --type OWASP
List available rules in the OWASP 3.0 rule set.
az network application-gateway waf-config list-rule-sets --group '*' --type OWASP --version 3.0
List available rules in the `crs_35_bad_robots` rule group.
az network application-gateway waf-config list-rule-sets --group crs_35_bad_robots
List available rules in table format.
az network application-gateway waf-config list-rule-sets -o table
Optional Parameters
List rules for the specified rule group. Use *
to list rules for all groups. Omit to suppress listing individual rules.
Rule set type to list. Omit to list all types.
Rule set version to list. Omit to list all versions.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az network application-gateway waf-config set
Update the firewall configuration of a web application.
This command is only applicable to application gateways with an SKU type of WAF. To learn more, visit https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/tutorial-restrict-web-traffic-cli.
az network application-gateway waf-config set --enabled {false, true}
[--disabled-rule-groups]
[--disabled-rules]
[--exclusion]
[--file-upload-limit]
[--firewall-mode {detection, prevention}]
[--gateway-name]
[--ids]
[--max-request-body-size]
[--no-wait]
[--request-body-check {false, true}]
[--resource-group]
[--rule-set-type]
[--rule-set-version]
[--subscription]
Examples
Configure WAF on an application gateway in detection mode with default values
az network application-gateway waf-config set -g MyResourceGroup --gateway-name MyAppGateway --enabled true --firewall-mode Detection --rule-set-version 3.0
Disable rules for validation of request body parsing and SQL injection.
az network application-gateway waf-config set -g MyResourceGroup --gateway-name MyAppGateway --enabled true --rule-set-type OWASP --rule-set-version 3.0 --disabled-rule-groups REQUEST-942-APPLICATION-ATTACK-SQLI --disabled-rules 920130 920140
Configure WAF on an application gateway with exclusions.
az network application-gateway waf-config set -g MyResourceGroup --gateway-name MyAppGateway --enabled true --firewall-mode Detection --rule-set-version 3.0 --exclusion "RequestHeaderNames StartsWith x-header" --exclusion "RequestArgNames Equals IgnoreThis"
Required Parameters
Specify whether the application firewall is enabled.
Optional Parameters
Space-separated list of rule groups to disable. To disable individual rules, use --disabled-rules
.
Space-separated list of rule IDs to disable.
Add an exclusion expression to the WAF check.
Usage: --exclusion VARIABLE OPERATOR VALUE
Multiple exclusions can be specified by using more than one --exclusion
argument.
File upload size limit in MB.
Web application firewall mode.
Name of the application gateway.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Max request body size in KB.
Do not wait for the long-running operation to finish.
Allow WAF to check the request body.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Rule set type.
Rule set version.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az network application-gateway waf-config show
Get the firewall configuration of a web application.
az network application-gateway waf-config show [--gateway-name]
[--ids]
[--resource-group]
[--subscription]
Examples
Get the firewall configuration of a web application.
az network application-gateway waf-config show -g MyResourceGroup --gateway-name MyAppGateway
Optional Parameters
Name of the application gateway.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.