使用 Azure PowerShell 升級 Web 應用程式防火牆原則
此指令碼可讓您輕鬆地從 WAF 設定或僅限自訂規則的 WAF 原則轉換為完整的 WAF 原則。 您可能會在入口網站中看到「升級至 WAF 原則」的警告,或者建議您使用新的 WAF 功能,例如 Geomatch 自訂規則、各網站的 WAF 原則和各 URI 的 WAF 原則,或者是機器人風險降低規則集。 若要使用這些功能,您需要與應用程式閘道相關聯的完整 WAF 原則。
如需建立新 WAF 原則的詳細資訊,請參閱建立應用程式閘道的 Web 應用程式防火牆原則 (部分機器翻譯)。 如需移轉的相關資訊,請參閱升級至 WAF 原則 (部分機器翻譯)。
使用移轉指令碼升級至 WAF 原則
使用下列步驟來執行移轉指令碼:
- 開啟下列 Cloud Shell 視窗,或自入口網站中開啟。
- 將指令碼複製至 Cloud Shell 視窗並加以執行。
- 指令碼會要求訂閱識別碼、資源群組名稱、與 WAF 設定相關聯的應用程式閘道名稱,以及要您所建立新 WAF 原則的名稱。 輸入這些項目之後,指令碼會執行並建立新的 WAF 原則
- 將新的 WAF 原則加以驗證並與應用程式閘道建立關聯。 移至入口網站中的 WAF 原則,然後選取 [相關聯的應用程式閘道] 索引標籤。確認應用程式閘道與 WAF 原則相關聯。
注意
如果下列情況存在,指令碼就不會完成移轉:
- 已停用整個規則集。 若要完成移轉,請確定未停用整個 RuleGroup。
如需詳細資訊,請參閱指令碼中的 ValidateInput 函式。
<#PSScriptInfo
.DESCRIPTION
Will be used to upgrade to the application-gateway to a top level waf policy experience.
.VERSION 1.0
.GUID b6fedd43-ebd0-41ed-9847-4f1c1c43be22
.AUTHOR Venkat.Krishnan
.PARAMETER subscriptionId
Subscription Id of where the resources are present.
.PARAMETER resourceGroupName
Resource-group where the resources are present.
.PARAMETER applicationGatewayName
Application-Gateway name
.PARAMETER wafPolicyName
Name of the web application firewall policy
.EXAMPLE
./migrateToWafPolicy.ps1 -subscriptionId <your-subscription-id> -applicationGatewayName <your-appgw-name> -resourceGroupName <your-resource-group-name> -wafPolicyName <new-waf-policy-name>
#>
param(
[Parameter(Mandatory=$true)]
[string] $subscriptionId,
[Parameter(Mandatory=$true)]
[string] $resourceGroupName,
[Parameter(Mandatory=$true)]
[string] $applicationGatewayName,
[Parameter(Mandatory=$true)]
[string] $wafPolicyName
)
function ValidateInput ($appgwName, $resourceGroupName) {
# Obtain the application-gateway
$appgw = Get-AzApplicationGateway -Name $applicationGatewayName -ResourceGroupName $resourceGroupName
if (-not $appgw) {
Write-Error "ApplicationGateway: $applicationGatewayName is not present in ResourceGroup: $resourceGroupName"
return $false
}
# Check if already have a global firewall policy
if ($appgw.FirewallPolicy) {
$fp = Get-AzResource -ResourceId $appgw.FirewallPolicy.Id
if ($fp.PolicySettings) {
Write-Error "ApplicationGateway: $applicationGatewayName already has a global firewall policy: $fp.Name. Please use portal for changing the policy."
return $false
}
}
if ($appgw.WebApplicationFirewallConfiguration) {
# Throw an error, since ruleGroup disabled case can't be migrated now.
if ($appgw.WebApplicationFirewallConfiguration.DisabledRuleGroups) {
foreach ($disabled in $appgw.WebApplicationFirewallConfiguration.DisabledRuleGroups) {
if ($disabled.Rules.Count -eq 0) {
$ruleGroupName = $disabled.RuleGroupName
Write-Error "The ruleGroup '$ruleGroupName' is disabled. Currently we can't upgrade to a firewall policy when an entire ruleGroup is disabled. This feature will be delivered shortly. To continue, kindly ensure the entire rulegroups are not disabled. "
return $false
}
}
}
}
if ($appgw.Sku.Name -ne "WAF_v2" -or $appgw.Sku.Tier -ne "WAF_v2") {
Write-Error " Cannot associate a firewall policy to application gateway :$applicationGatewayName since the Sku is not on WAF_v2"
return $false
}
return $true
}
function Login() {
$context = Get-AzContext
if ($null -eq $context -or $null -eq $context.Account) {
Login-AzAccount
}
}
function createNewTopLevelWafPolicy ($subscriptionId, $resourceGroupName, $applicationGatewayName, $wafPolicyName) {
Select-AzSubscription -Subscription $subscriptionId
$retVal = ValidateInput -appgwName $applicationGatewayName -resourceGroupName $resourceGroupName
if (!$retVal) {
return
}
$appgw = Get-AzApplicationGateway -Name $applicationGatewayName -ResourceGroupName $resourceGroupName
# Get the managedRule and PolicySettings
$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule
$policySetting = New-AzApplicationGatewayFirewallPolicySetting
if ($appgw.WebApplicationFirewallConfiguration) {
$ruleGroupOverrides = [System.Collections.ArrayList]@()
if ($appgw.WebApplicationFirewallConfiguration.DisabledRuleGroups) {
foreach ($disabled in $appgw.WebApplicationFirewallConfiguration.DisabledRuleGroups) {
$rules = [System.Collections.ArrayList]@()
if ($disabled.Rules.Count -gt 0) {
foreach ($rule in $disabled.Rules) {
$ruleOverride = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -RuleId $rule
$_ = $rules.Add($ruleOverride)
}
}
$ruleGroupOverride = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride -RuleGroupName $disabled.RuleGroupName -Rule $rules
$_ = $ruleGroupOverrides.Add($ruleGroupOverride)
}
}
$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType $appgw.WebApplicationFirewallConfiguration.RuleSetType -RuleSetVersion $appgw.WebApplicationFirewallConfiguration.RuleSetVersion
if ($ruleGroupOverrides.Count -ne 0) {
$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType $appgw.WebApplicationFirewallConfiguration.RuleSetType -RuleSetVersion $appgw.WebApplicationFirewallConfiguration.RuleSetVersion -RuleGroupOverride $ruleGroupOverrides
}
$exclusions = [System.Collections.ArrayList]@()
if ($appgw.WebApplicationFirewallConfiguration.Exclusions) {
foreach ($excl in $appgw.WebApplicationFirewallConfiguration.Exclusions) {
if ($excl.MatchVariable -and $excl.SelectorMatchOperator -and $excl.Selector) {
$exclusionEntry = New-AzApplicationGatewayFirewallPolicyExclusion -MatchVariable $excl.MatchVariable -SelectorMatchOperator $excl.SelectorMatchOperator -Selector $excl.Selector
$_ = $exclusions.Add($exclusionEntry)
}
if ($excl.MatchVariable -and !$excl.SelectorMatchOperator -and !$excl.Selecto) {
# Equals Any exclusion
$exclusionEntry = New-AzApplicationGatewayFirewallPolicyExclusion -MatchVariable $excl.MatchVariable -SelectorMatchOperator "EqualsAny" -Selector "*"
$_ = $exclusions.Add($exclusionEntry)
}
}
}
$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet
$exclCount = $exclusions.Count
if ($exclCount -ne 0) {
$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet -Exclusion $exclusions
}
$policySetting = New-AzApplicationGatewayFirewallPolicySetting -MaxFileUploadInMb $appgw.WebApplicationFirewallConfiguration.FileUploadLimitInMb -MaxRequestBodySizeInKb $appgw.WebApplicationFirewallConfiguration.MaxRequestBodySizeInKb -Mode Detection -State Disabled
if ($appgw.WebApplicationFirewallConfiguration.FirewallMode -eq "Prevention") {
$policySetting.Mode = "Prevention"
}
if ($appgw.WebApplicationFirewallConfiguration.Enabled) {
$policySetting.State = "Enabled"
}
$policySetting.RequestBodyCheck = $appgw.WebApplicationFirewallConfiguration.RequestBodyCheck;
}
if ($appgw.FirewallPolicy) {
$customRulePolicyId = $appgw.FirewallPolicy.Id
$rg = Get-AzResourceGroup -Name $resourceGroupName
$crPolicyName = $customRulePolicyId.Substring($customRulePolicyId.LastIndexOf("/") + 1)
$customRulePolicy = Get-AzApplicationGatewayFirewallPolicy -ResourceGroupName $rg.ResourceGroupName -Name $crPolicyName
$wafPolicy = New-AzApplicationGatewayFirewallPolicy -ResourceGroupName $rg.ResourceGroupName -Name $wafPolicyName -CustomRule $customRulePolicy.CustomRules -ManagedRule $managedRule -PolicySetting $policySetting -Location $appgw.Location
} else {
$wafPolicy = New-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $resourceGroupName -PolicySetting $policySetting -ManagedRule $managedRule -Location $appgw.Location
}
if (!$wafPolicy) {
return
}
$appgw.WebApplicationFirewallConfiguration = $null
$appgw.FirewallPolicy = $wafPolicy
$appgw = Set-AzApplicationGateway -ApplicationGateway $appgw
Write-Host " firewallPolicy: $wafPolicyName has been created/updated successfully and applied to applicationGateway: $applicationGatewayName!"
return $wafPolicy
}
function Main() {
Login
$policy = createNewTopLevelWafPolicy -subscriptionId $subscriptionId -resourceGroupName $resourceGroupName -applicationGatewayName $applicationGatewayName -wafPolicyName $wafPolicyName
return $policy
}
Main
下一步
深入了解 Web 應用程式防火牆 CRS 規則群組與規則。