Skip to content

Add support to AppGw Exception feature #27863

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jun 3, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -269,6 +269,14 @@ public void TestTopLevelWafPolicyPerRuleExclusions()
TestRunner.RunTestScript(string.Format("Test-ApplicationGatewayFirewallPolicyWithPerRuleExclusions -baseDir '{0}'", AppDomain.CurrentDomain.BaseDirectory));
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
[Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]
public void TestApplicationGatewayWafPolicyExceptions()
{
TestRunner.RunTestScript(string.Format("Test-ApplicationGatewayFirewallPolicyWithException -baseDir '{0}'", AppDomain.CurrentDomain.BaseDirectory));
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
[Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]
Expand Down
67 changes: 67 additions & 0 deletions src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -4369,6 +4369,73 @@ function Test-ApplicationGatewayFirewallPolicyWithPerRuleExclusions
}
}

function Test-ApplicationGatewayFirewallPolicyWithException
{
# Setup
$location = Get-ProviderLocation "Microsoft.Network/applicationGateways" "West US 2"

$rgname = Get-ResourceGroupName
$wafPolicyName = Get-ResourceName

try
{
$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "APPGw tag"}

$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -MaxFileUploadInMb 70 -MaxRequestBodySizeInKb 70
$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType "OWASP" -RuleSetVersion "3.2"
$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet
New-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname -Location $location -ManagedRule $managedRule -PolicySetting $policySettings

$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname

# Check firewall policy
Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
Assert-AreEqual $policy.PolicySettings.State $policySettings.State

$ruleEntry1 = New-AzApplicationGatewayFirewallPolicyExclusionManagedRule -RuleId 942100
$ruleEntry2 = New-AzApplicationGatewayFirewallPolicyExclusionManagedRule -RuleId 942110
$sqlRuleGroupEntry = New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleGroup -Name REQUEST-942-APPLICATION-ATTACK-SQLI -Rule $ruleEntry1,$ruleEntry2

$ruleEntry3 = New-AzApplicationGatewayFirewallPolicyExclusionManagedRule -RuleId 941100
$xssRuleGroupEntry = New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleGroup -Name REQUEST-941-APPLICATION-ATTACK-XSS -Rule $ruleEntry3

$exceptionRuleSetEntry = New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleSet -Type "OWASP" -Version "3.2" -RuleGroup $sqlRuleGroupEntry,$xssRuleGroupEntry

$exceptionValue1 = "hey"
$exceptionValue2 = "hi"

$exceptionEntry = New-AzApplicationGatewayFirewallPolicyException -MatchVariable RequestURI -Value $exceptionValue1,$exceptionValue2 -ValueMatchOperator Contains -ExceptionManagedRuleSet $exceptionRuleSetEntry

$managedRules = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet -Exception $exceptionEntry
$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname
$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -MaxFileUploadInMb 750 -MaxRequestBodySizeInKb 128
$policy.managedRules = $managedRules
$policy.PolicySettings = $policySettings
Set-AzApplicationGatewayFirewallPolicy -InputObject $policy

$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname
Assert-AreEqual $policy.ManagedRules.ManagedRuleSets.Count 1
Assert-AreEqual $policy.ManagedRules.Exceptions.Count 1
Assert-AreEqual $policy.ManagedRules.Exceptions[0].ExceptionManagedRuleSets.Count 1
Assert-AreEqual $policy.ManagedRules.Exceptions[0].ExceptionManagedRuleSets[0].RuleGroups.Count 2
Assert-AreEqual $policy.ManagedRules.Exceptions[0].ExceptionManagedRuleSets[0].RuleGroups[0].Rules.Count 2
Assert-AreEqual $policy.ManagedRules.Exceptions[0].ExceptionManagedRuleSets[0].RuleGroups[1].Rules.Count 1
Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
Assert-AreEqual $policy.PolicySettings.State $policySettings.State
}
finally
{
# Cleanup
Clean-ResourceGroup $rgname
}
}

<#
.SYNOPSIS
Application gateway v2 waf policy with log scrubbing
Expand Down

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions src/Network/Network/Az.Network.psd1
Original file line number Diff line number Diff line change
Expand Up @@ -341,6 +341,7 @@ CmdletsToExport = 'Add-AzApplicationGatewayAuthenticationCertificate',
'New-AzApplicationGatewayFirewallDisabledRuleGroupConfig',
'New-AzApplicationGatewayFirewallExclusionConfig',
'New-AzApplicationGatewayFirewallMatchVariable',
'New-AzApplicationGatewayFirewallPolicyException',
'New-AzApplicationGatewayFirewallPolicy',
'New-AzApplicationGatewayFirewallPolicyExclusion',
'New-AzApplicationGatewayFirewallPolicyExclusionManagedRule',
Expand Down
2 changes: 2 additions & 0 deletions src/Network/Network/ChangeLog.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@
--->

## Upcoming Release
* Onboarded Application Gateway WAF Exceptions cmdlet.
- `New-AzApplicationGatewayFirewallPolicyException`

## Version 7.17.0
* Added properties 'PublicIpAddressesV6', 'PublicIpPrefixesV6', and 'SourceVirtualNetwork' to NatGateway, as well as support for it for the following cmdlets:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,12 @@ public class AzureApplicationGatewayFirewallPolicyManagedRules : NetworkBaseCmdl
[ValidateNotNullOrEmpty]
public PSApplicationGatewayFirewallPolicyExclusion[] Exclusion { get; set; }

[Parameter(
Mandatory = false,
HelpMessage = "List of Exception Entry.")]
[ValidateNotNullOrEmpty]
public PSApplicationGatewayFirewallPolicyException[] Exception { get; set; }

public override void ExecuteCmdlet()
{
base.ExecuteCmdlet();
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
// ----------------------------------------------------------------------------------
//
// Copyright Microsoft Corporation
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// ----------------------------------------------------------------------------------

using Microsoft.Azure.Commands.Network.Models;
using System.Collections.Generic;
using System.Linq;
using System.Management.Automation;

namespace Microsoft.Azure.Commands.Network
{
public class AzureApplicationGatewayFirewallPolicyException : NetworkBaseCmdlet
{
[Parameter(
Mandatory = true,
HelpMessage = "The variable on which we evaluate the exception condition.")]
[ValidateSet("RequestURI", "RemoteAddr", "RequestHeader", IgnoreCase = true)]
[ValidateNotNullOrEmpty]
public string MatchVariable { get; set; }

[Parameter(
Mandatory = true,
HelpMessage = "Allowed values for the matchVariable.")]
[ValidateNotNullOrEmpty]
public string[] Value { get; set; }

[Parameter(
Mandatory = true,
HelpMessage = "Operates on the allowed values for the matchVariable.")]
[ValidateSet("Equals", "Contains", "StartsWith", "EndsWith", "IPMatch", IgnoreCase = true)]
[ValidateNotNullOrEmpty]
public string ValueMatchOperator { get; set; }

[Parameter(
Mandatory = false,
HelpMessage = "When the matchVariable points to a key-value pair (e.g, RequestHeader), this operates on the selector.")]
[ValidateSet("Equals", "Contains", "StartsWith", "EndsWith", IgnoreCase = true)]
public string SelectorMatchOperator { get; set; }

[Parameter(
Mandatory = false,
HelpMessage = "When the matchVariable points to a key-value pair (e.g, RequestHeader), this identifies the key.")]
public string Selector { get; set; }

[Parameter(
Mandatory = false,
HelpMessage = "The managed rule sets that are associated with the exception.")]
[ValidateNotNullOrEmpty]
public PSApplicationGatewayFirewallPolicyExclusionManagedRuleSet[] ExceptionManagedRuleSet { get; set; }

public override void ExecuteCmdlet()
{
base.ExecuteCmdlet();
}

protected PSApplicationGatewayFirewallPolicyException NewObject()
{
return new PSApplicationGatewayFirewallPolicyException()
{
MatchVariable = this.MatchVariable,
Values = this.Value.ToList(),
ValueMatchOperator = this.ValueMatchOperator,
SelectorMatchOperator = this.SelectorMatchOperator,
Selector = this.Selector,
ExceptionManagedRuleSets = this.ExceptionManagedRuleSet?.ToList()
};
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
// ----------------------------------------------------------------------------------
//
// Copyright Microsoft Corporation
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// ----------------------------------------------------------------------------------

using Microsoft.Azure.Commands.Network.Models;
using System.Management.Automation;

namespace Microsoft.Azure.Commands.Network
{
[Cmdlet("New", ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "ApplicationGatewayFirewallPolicyException", SupportsShouldProcess = true), OutputType(typeof(PSApplicationGatewayFirewallPolicyException))]
public class NewAzureApplicationGatewayFirewallPolicyExceptionCommand : AzureApplicationGatewayFirewallPolicyException
{
public override void ExecuteCmdlet()
{
base.ExecuteCmdlet();
WriteObject(base.NewObject());
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
//
// Copyright (c) Microsoft. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//

using Microsoft.Azure.Management.Network.Models;
using Microsoft.WindowsAzure.Commands.Common.Attributes;
using System.Collections.Generic;

namespace Microsoft.Azure.Commands.Network.Models
{
public partial class PSApplicationGatewayFirewallPolicyException
{
[Ps1Xml(Target = ViewControl.Table)]
public string MatchVariable { get; set; }

[Ps1Xml(Target = ViewControl.Table)]
public List<string> Values { get; set; }

[Ps1Xml(Target = ViewControl.Table)]
public string ValueMatchOperator { get; set; }

[Ps1Xml(Target = ViewControl.Table)]
public string SelectorMatchOperator { get; set; }

[Ps1Xml(Target = ViewControl.Table)]
public string Selector { get; set; }

[Ps1Xml(Target = ViewControl.Table)]
public List<PSApplicationGatewayFirewallPolicyExclusionManagedRuleSet> ExceptionManagedRuleSets { get; set; }
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -27,5 +27,8 @@ public partial class PSApplicationGatewayFirewallPolicyManagedRules

[Ps1Xml(Target = ViewControl.Table)]
public List<PSApplicationGatewayFirewallPolicyExclusion> Exclusions { get; set; }

[Ps1Xml(Target = ViewControl.Table)]
public List<PSApplicationGatewayFirewallPolicyException> Exceptions { get; set; }
}
}
3 changes: 3 additions & 0 deletions src/Network/Network/help/Az.Network.md
Original file line number Diff line number Diff line change
Expand Up @@ -942,6 +942,9 @@ Creates a match variable for firewall condition.
### [New-AzApplicationGatewayFirewallPolicy](New-AzApplicationGatewayFirewallPolicy.md)
Creates a application gateway firewall policy.

### [New-AzApplicationGatewayFirewallPolicyException](New-AzApplicationGatewayFirewallPolicyException.md)
Creates an exception on the Firewall Policy

### [New-AzApplicationGatewayFirewallPolicyExclusion](New-AzApplicationGatewayFirewallPolicyExclusion.md)
Creates an exclusion on the Firewall Policy

Expand Down
Loading