Reputation: 1
Azure REST API throws "WAF Policy does not have any valid Primary Rule Set attached to it." error
The Azure REST API that I'm trying to call to update my WAF policy is throwing an error saying the policy doesn't have any valid primary rule set attached to it. This is the API I'm trying to hit - https://learn.microsoft.com/en-us/rest/api/application-gateway/web-application-firewall-policies/create-or-update?tabs=HTTP
I have set up AFD and configured WAF to it. I'm also able to create a WAF policy through portal. I'm unsure if I've missed some proper configs as I've set up everything purely for testing purpose. This is essentially what I followed to set up AFD - https://learn.microsoft.com/en-us/azure/frontdoor/quickstart-create-front-door
Upvotes: 0
Views: 640
Answers (1)
Reputation: 16226
I created an Azure AD Application and granted API permissions:
I generated access token by using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
scope:https://management.azure.com/user_impersonation
grant_type:authorization_code
redirect_uri:https://jwt.ms
code:code
client_secret:ClientSecret
By using the access token, I created Web Application Firewall Policies:
PUT https://management.azure.com/subscriptions/SubID/resourceGroups/ruk/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/Policy1?api-version=2023-02-01
{
"location": "WestUs",
"properties": {
"policySettings": {
"logScrubbing": {
"state": "Enabled",
"scrubbingRules": [
{
"state": "Enabled",
"matchVariable": "RequestArgNames",
"selectorMatchOperator": "Equals",
"selector": "test"
},
{
"state": "Enabled",
"matchVariable": "RequestIPAddress",
"selectorMatchOperator": "EqualsAny"
}
]
}
},
"managedRules": {
"managedRuleSets": [
{
"ruleSetType": "OWASP",
"ruleSetVersion": "3.2",
"ruleGroupOverrides": [
{
"ruleGroupName": "REQUEST-931-APPLICATION-ATTACK-RFI",
"rules": [
{
"ruleId": "931120",
"state": "Enabled",
"action": "Log"
},
{
"ruleId": "931130",
"state": "Disabled",
"action": "AnomalyScoring"
}
]
}
]
}
],
"exclusions": [
{
"matchVariable": "RequestArgNames",
"selectorMatchOperator": "StartsWith",
"selector": "hello",
"exclusionManagedRuleSets": [
{
"ruleSetType": "OWASP",
"ruleSetVersion": "3.2",
"ruleGroups": [
{
"ruleGroupName": "REQUEST-930-APPLICATION-ATTACK-LFI",
"rules": [
{
"ruleId": "930120"
}
]
},
{
"ruleGroupName": "REQUEST-932-APPLICATION-ATTACK-RCE"
}
]
}
]
},
{
"matchVariable": "RequestArgNames",
"selectorMatchOperator": "EndsWith",
"selector": "hello",
"exclusionManagedRuleSets": [
{
"ruleSetType": "OWASP",
"ruleSetVersion": "3.1",
"ruleGroups": []
}
]
},
{
"matchVariable": "RequestArgNames",
"selectorMatchOperator": "StartsWith",
"selector": "test"
},
{
"matchVariable": "RequestArgValues",
"selectorMatchOperator": "StartsWith",
"selector": "test"
}
]
},
"customRules": [
{
"name": "Rule1",
"priority": 1,
"ruleType": "MatchRule",
"action": "Block",
"matchConditions": [
{
"matchVariables": [
{
"variableName": "RemoteAddr",
"selector": null
}
],
"operator": "IPMatch",
"matchValues": [
"192.168.1.0/24",
"10.0.0.0/24"
]
}
]
},
{
"name": "Rule2",
"priority": 2,
"ruleType": "MatchRule",
"matchConditions": [
{
"matchVariables": [
{
"variableName": "RemoteAddr",
"selector": null
}
],
"operator": "IPMatch",
"matchValues": [
"192.168.1.0/24"
]
},
{
"matchVariables": [
{
"variableName": "RequestHeaders",
"selector": "UserAgent"
}
],
"operator": "Contains",
"matchValues": [
"Windows"
]
}
],
"action": "Block"
},
{
"name": "RateLimitRule3",
"priority": 3,
"rateLimitDuration": "OneMin",
"rateLimitThreshold": 10,
"ruleType": "RateLimitRule",
"matchConditions": [
{
"matchVariables": [
{
"variableName": "RemoteAddr",
"selector": null
}
],
"operator": "IPMatch",
"negationConditon": true,
"matchValues": [
"192.168.1.0/24",
"10.0.0.0/24"
]
}
],
"groupByUserSession": [
{
"groupByVariables": [
{
"variableName": "ClientAddr"
}
]
}
],
"action": "Block"
}
]
}
}
The WAF policy created in the resource group:
Now I tried to update the WAF policy, updating the custom rule name:
PUT https://management.azure.com/subscriptions/SubID/resourceGroups/ruk/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/Policy1?api-version=2023-02-01
"customRules": [
{
"name": "RuleRuk",
"priority": 1,
"ruleType": "MatchRule",
"action": "Block",
"matchConditions": [
{
"matchVariables": [
{
"variableName": "RemoteAddr",
"selector": null
}
],
The custom rule name updated successfully like below:
Note that: You have to pass resource group name in which the WAF policy is present to update the policy.
Upvotes: 0
Related Questions
- Modify the Azure application gateway rule using rest api
- Update Azure FrontdoorPremium Web Application Firewall Policy by API
- WAF Policy attachment to Application Gateway, and REST API
- Error creating role assignment using Azure REST API - Principal does not exist in the directory
- Disable AFD Backend Pool's Backend Host with Azure Cli or Azure REST API
- Trouble with Azure API Management TRACE policy rule not expanding variables in the message
- How do you restrict access to Azure Web App by incoming header value?
- Does Azure API Management include WAF functionality?
- Can not update Azure Application Gateway - Error: The disabled Rule '920300' is unknown