0

I'm trying to update an Frontdoor WAF policy by API following the article in the link below but I'm running into several issues.

-Article seems to be focused on Frontdoor Classic, not premium, so the json in the article doesn't work. -Adding an empty tags value solves the tags error. https://learn.microsoft.com/en-us/rest/api/frontdoorservice/webapplicationfirewall/policies/create-or-update?tabs=HTTP#skuname

Can't get anywhere with MS Support, hoping anyone here has experience with this.

HTTP Respons:

{
  "errors": {
    "sku": [
      "Could not find member 'sku' on object of type 'WebApplicationFirewallPatchRequestModel'. Path 'sku', line 1, position 7070."
    ],
    "tags": [
      "Required property 'tags' not found in JSON. Path '', line 1, position 7104."
    ],
    "location": [
      "Could not find member 'location' on object of type 'WebApplicationFirewallPatchRequestModel'. Path 'location', line 1, position 12."
    ],
    "properties": [
      "Could not find member 'properties' on object of type 'WebApplicationFirewallPatchRequestModel'. Path 'properties', line 1, position 35."
    ]
  },
  "type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
  "title": "One or more validation errors occurred.",
  "status": 400,
  "traceId": "00-1006d4208c3a8e569d9ec0ff3513ca31-cc06e3e858308547-01"
}

Json post (shortend):


{
  "location": "global",
  "properties": {
    "customRules": {
      "rules": [
        {
          "name": "AllowCDN",
          "enabledState": "Enabled",
          "priority": 110,
          "ruleType": "MatchRule",
          "rateLimitDurationInMinutes": 1,
          "rateLimitThreshold": 100,
          "matchConditions": [
            {
              "matchVariable": "RequestUri",
              "selector": null,
              "operator": "Contains",
              "negateCondition": false,
              "matchValue": [
                "snip.azureedge.net",
                "snip.azureedge.net"
              ],
              "transforms": [
                "Lowercase"
              ]
            }
          ],
          "action": "Allow"
        }
      ]
    },
    "managedRules": {
      "managedRuleSets": [
        {
          "ruleSetType": "Microsoft_DefaultRuleSet",
          "ruleSetVersion": "2.1",
          "ruleSetAction": "Block",
          "ruleGroupOverrides": [],
          "exclusions": []
        },
        {
          "ruleSetType": "Microsoft_BotManagerRuleSet",
          "ruleSetVersion": "1.0",
          "ruleSetAction": null,
          "ruleGroupOverrides": [
            {
              "ruleGroupName": "GoodBots",
              "rules": [
                {
                  "ruleId": "Bot200200",
                  "enabledState": "Enabled",
                  "action": "Block",
                  "exclusions": []
                }
              ],
              "exclusions": []
            },
            {
              "ruleGroupName": "UnknownBots",
              "rules": [
                {
                  "ruleId": "Bot300200",
                  "enabledState": "Enabled",
                  "action": "Block",
                  "exclusions": []
                },
                {
                  "ruleId": "Bot300600",
                  "enabledState": "Enabled",
                  "action": "Block",
                  "exclusions": []
                },
                {
                  "ruleId": "Bot300700",
                  "enabledState": "Enabled",
                  "action": "Log",
                  "exclusions": []
                },
                {
                  "ruleId": "Bot300400",
                  "enabledState": "Enabled",
                  "action": "Log",
                  "exclusions": []
                },
                {
                  "ruleId": "Bot300300",
                  "enabledState": "Enabled",
                  "action": "Block",
                  "exclusions": []
                }
              ],
              "exclusions": []
            }
          ],
          "exclusions": []
        }
      ]
    },
    "policySettings": {
      "enabledState": "Enabled",
      "mode": "Prevention",
      "redirectUrl": null,
      "customBlockResponseStatusCode": null,
      "customBlockResponseBody": null,
      "requestBodyCheck": "Enabled"
    }
  },
  "sku": {
    "name": "Premium_AzureFrontDoor"
  }
}

Updating an existing Frontdoor Premium WAF policy doesn't work.

Markus Meyer
  • 3,327
  • 10
  • 22
  • 35
Jeremy
  • 11
  • 1

1 Answers1

0

I was able to execute the Update REST API above though for my Azure Front Door Standard. The process I followed was to make the GET REST API Call first and then copy the response body and then make the updates required in the JSON and use this JSON as a request Body in the Update REST API. The reference JSON below worked for me.

{
  "id": "/subscriptions/xxxxx/resourcegroups/xxxxx/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/xxxxx",
  "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
  "name": "xxxxx",
  "location": "Global",
  "tags": {
    "Reason": "Repro",
    "CreatedDate": "12/29/2022 2:40:29 AM",
    "CreatedBy": "xxxxx",
    "OwningTeam": "xxxxx"
  },
  "sku": {
    "name": "Standard_AzureFrontDoor"
  },
  "properties": {
    "policySettings": {
      "enabledState": "Enabled",
      "mode": "Detection",
      "redirectUrl": null,
      "customBlockResponseStatusCode": 403,
      "customBlockResponseBody": null,
      "requestBodyCheck": "Disabled"
    },
    "customRules": {
      "rules": [
        {
          "name": "testcustomrule",
          "enabledState": "Enabled",
          "priority": 100,
          "ruleType": "MatchRule",
          "rateLimitDurationInMinutes": 1,
          "rateLimitThreshold": 100,
          "matchConditions": [
            {
              "matchVariable": "SocketAddr",
              "selector": null,
              "operator": "GeoMatch",
              "negateCondition": false,
              "matchValue": [
                "UY"
              ],
              "transforms": []
            }
          ],
          "action": "Block"
        },
        {
          "name": "testcustomrule2",
          "enabledState": "Enabled",
          "priority": 101,
          "ruleType": "MatchRule",
          "rateLimitDurationInMinutes": 1,
          "rateLimitThreshold": 100,
          "matchConditions": [
            {
              "matchVariable": "SocketAddr",
              "selector": null,
              "operator": "GeoMatch",
              "negateCondition": false,
              "matchValue": [
                "AU"
              ],
              "transforms": []
            }
          ],
          "action": "Block"
        }
      ]
    },
    "managedRules": {
      "managedRuleSets": []
    },
    "frontendEndpointLinks": [],
    "securityPolicyLinks": [
      {
        "id": "/subscriptions/xxxxx/resourcegroups/xxxxx/providers/Microsoft.Cdn/profiles/xxxxx/securitypolicies/xxxxx"
      }
    ],
    "routingRuleLinks": [],
    "resourceState": "Enabled",
    "provisioningState": "Succeeded"
  }
}
ChaitanyaN-MSFT
  • 466
  • 2
  • 5