0

Goal: Toggle an application Gateway WAF between prevention and detection mode via code.

Configuration Details:

  • App GW SKU: WAFv2
  • Application Gateway WAF deployed
  • Custom rules and managed policies are implemented
  • WAF is Associated to Application Gateway

Pre-requisite Commands:

$policyName = *Input*
$appGWName = *Input*
$appGWRG = *Input*
$location = *Input*
$gw = Get-AzApplicationGateway -Name $appGWName -ResourceGroupName $appGWRG
$policy = Get-AzApplicationGatewayFirewallPolicy -Name $policyName -ResourceGroupName $appGWRG

What I've attempted:

  1. Manually I am able to switch from prevention to detection. (Successful)

  2. Using a Powershell command I'm able to update the WAF policy setting directly, but it does not replicate to the resource itself.

    $policy.PolicySettings.Mode = "Prevention"
$policy.PolicySettings.Mode = "Detection"

  3. Using Powershell command I'm able to update the WAF policy via the Appliction gateway, but it doesn't replicate to the WAF or Application gateway.

    Set-AzApplicationGatewayWebApplicationFirewallConfiguration -FirewallMode Detection -ApplicationGateway $gw -Enabled $true

Getting the following error:

quoteSet-AzApplicationGateway: WebApplicationFirewallConfiguration cannot be changed when there is a WAF Policy /subscriptions/7bba5d50-5df8-49be-b59d-b737e7663335/resourceGroups/pbolkun-RG/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/WafPolicyProdEusAgw associated with it.

I've also tried Set-AzApplicationGateway -ApplicationGateway $gw at the end of each implementation which again, doesn't work..

I'd like a programmatic way so that I can utilize IaC to the max. I'd prefer to avoid deploying an ARM template each time I want to switch between the two for testing.

Thank you in advanced!

James Z
  • 12,209
  • 10
  • 24
  • 44
ChiefSmo
  • 21
  • 4

1 Answers1

0

I tested the same in my environment by creating a App Gateway & WAF Policy and associating the policy to the App Gateway.

enter image description here

enter image description here

enter image description here

Then I used the below code to change the Firewall Policy Setting and update the application gateway :

param
(
[string] $policyName = "ansumanwafpolicy",
[string]$appGWName = "appansumangw",
[string]$appGWRG = "ansumantest",
[string]$location = "West US 2",
[string] $policyMode = "Detection"
)
$gw = Get-AzApplicationGateway -Name $appGWName -ResourceGroupName $appGWRG
$policy= Get-AzApplicationGatewayFirewallPolicy -Name $policyName -ResourceGroupName $appGWRG 
$update = @{
Mode = $policyMode
State = $policy.PolicySettings.State
RequestBodyCheck = $policy.PolicySettings.RequestBodyCheck
MaxRequestBodySizeInKb = $policy.PolicySettings.MaxRequestBodySizeInKb
FileUploadLimitInMb = $policy.PolicySettings.FileUploadLimitInMb
}

$UpdatePolicy = Set-AzApplicationGatewayFirewallPolicy -Name $policyName -ResourceGroupName $appGWRG -PolicySetting $update
$UpdateAPPGW = Set-AzApplicationGatewayWebApplicationFirewallConfiguration -FirewallMode $policyMode -ApplicationGateway $gw -Enabled $gw.WebApplicationFirewallConfiguration.Enabled -RuleSetType $gw.WebApplicationFirewallConfiguration.RuleSetType -RuleSetVersion $gw.WebApplicationFirewallConfiguration.RuleSetVersion

Output:

enter image description here enter image description here

It doesn't reflect immediately but running the get appgw command after few mins it shows the change like below:

enter image description here

Ansuman Bal
  • 9,705
  • 2
  • 10
  • 27
  • Hi AnsumanBal-MT, thanks for your response. My question for you on this is whether there were any changes to your Application Gateway when running "Set-AzApplicationGateway" as this is meant to update the App GW, but in testing I noticed that it modified the scaling settings. I hadn't configured any listeners, routes in my sandbox which is the concern (i.e were these modified at all?). As well did you notice any WAF policy settings change, such as custom rules/managed rules? – ChiefSmo Feb 03 '22 at 12:36