'Toggle an Application Gateway WAF to Prevention/Detection mode

Goal: Toggle an application Gateway WAF between prevention and detection mode via code.

Configuration Details:

  • App GW SKU: WAFv2
  • Application Gateway WAF deployed
  • Custom rules and managed policies are implemented
  • WAF is Associated to Application Gateway

Pre-requisite Commands:

$policyName = *Input*
$appGWName = *Input*
$appGWRG = *Input*
$location = *Input*
$gw = Get-AzApplicationGateway -Name $appGWName -ResourceGroupName $appGWRG
$policy = Get-AzApplicationGatewayFirewallPolicy -Name $policyName -ResourceGroupName $appGWRG

What I've attempted:

  1. Manually I am able to switch from prevention to detection. (Successful)

  2. Using a Powershell command I'm able to update the WAF policy setting directly, but it does not replicate to the resource itself.

    $policy.PolicySettings.Mode = "Prevention"
$policy.PolicySettings.Mode = "Detection"

  3. Using Powershell command I'm able to update the WAF policy via the Appliction gateway, but it doesn't replicate to the WAF or Application gateway.

    Set-AzApplicationGatewayWebApplicationFirewallConfiguration -FirewallMode Detection -ApplicationGateway $gw -Enabled $true

Getting the following error:

quoteSet-AzApplicationGateway: WebApplicationFirewallConfiguration cannot be changed when there is a WAF Policy /subscriptions/7bba5d50-5df8-49be-b59d-b737e7663335/resourceGroups/pbolkun-RG/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/WafPolicyProdEusAgw associated with it.

I've also tried Set-AzApplicationGateway -ApplicationGateway $gw at the end of each implementation which again, doesn't work..

I'd like a programmatic way so that I can utilize IaC to the max. I'd prefer to avoid deploying an ARM template each time I want to switch between the two for testing.

Thank you in advanced!

azure-powershellazure-application-gatewayazure-cloud-shellazure-waf


Solution 1:[1]

I tested the same in my environment by creating a App Gateway & WAF Policy and associating the policy to the App Gateway.

enter image description here

enter image description here

enter image description here

Then I used the below code to change the Firewall Policy Setting and update the application gateway :

param
(
[string] $policyName = "ansumanwafpolicy",
[string]$appGWName = "appansumangw",
[string]$appGWRG = "ansumantest",
[string]$location = "West US 2",
[string] $policyMode = "Detection"
)
$gw = Get-AzApplicationGateway -Name $appGWName -ResourceGroupName $appGWRG
$policy= Get-AzApplicationGatewayFirewallPolicy -Name $policyName -ResourceGroupName $appGWRG 
$update = @{
Mode = $policyMode
State = $policy.PolicySettings.State
RequestBodyCheck = $policy.PolicySettings.RequestBodyCheck
MaxRequestBodySizeInKb = $policy.PolicySettings.MaxRequestBodySizeInKb
FileUploadLimitInMb = $policy.PolicySettings.FileUploadLimitInMb
}

$UpdatePolicy = Set-AzApplicationGatewayFirewallPolicy -Name $policyName -ResourceGroupName $appGWRG -PolicySetting $update
$UpdateAPPGW = Set-AzApplicationGatewayWebApplicationFirewallConfiguration -FirewallMode $policyMode -ApplicationGateway $gw -Enabled $gw.WebApplicationFirewallConfiguration.Enabled -RuleSetType $gw.WebApplicationFirewallConfiguration.RuleSetType -RuleSetVersion $gw.WebApplicationFirewallConfiguration.RuleSetVersion

Output:

enter image description here enter image description here

It doesn't reflect immediately but running the get appgw command after few mins it shows the change like below:

enter image description here

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 AnsumanBal-MT

Related Questions

Redirect HTTP to HTTPS in Azure Application Gateway

Can you see the Firewall Rule that was triggered on Azure Application Gateway WAF

AKS create with App gateway ingress control fails with IngressAppGwAddonConfigInvalidSubnetCIDRNotContainedWithinVirtualNetwork error

Azure Application Gateway received invalid status code: 404 from App Service

Getting error while accessing Azure API developer portal while using Azure Application Gateway with Azure API Management service

Requests through Azure Application Gateway fail with HTTP 504 if headers + payload is greater than about 1590 bytes

Is it possible to use Application Gateway rewrites rules to redirect to external website?

How to start or stop appservices in Azure

How can you use secret variables from a linked variable group in an Azure Powershell task in an Azure Release pipeline?

Connect-AzAccount : The term 'Connect-AzAccount' is not recognized as the name of a cmdlet, function, script file, or operable program

Resume Azure VM backup using powershell script after disabling backup

Get-AzureADAuditSignInLogs returning $null in Automation Accounts

How to pass Json parameters to powershell script

Create replica of Azure DB for my SQL Server using powershell

How to enable Update Management for an Azure Automation Account programmatically?