mr_raya
mr_raya

Reputation: 1

Azure REST API throws "WAF Policy does not have any valid Primary Rule Set attached to it." error

The Azure REST API that I'm trying to call to update my WAF policy is throwing an error saying the policy doesn't have any valid primary rule set attached to it. This is the API I'm trying to hit - https://learn.microsoft.com/en-us/rest/api/application-gateway/web-application-firewall-policies/create-or-update?tabs=HTTP

I have set up AFD and configured WAF to it. I'm also able to create a WAF policy through portal. I'm unsure if I've missed some proper configs as I've set up everything purely for testing purpose. This is essentially what I followed to set up AFD - https://learn.microsoft.com/en-us/azure/frontdoor/quickstart-create-front-door

Upvotes: 0

Views: 640

Answers (1)

Rukmini
Rukmini

Reputation: 16226

I created an Azure AD Application and granted API permissions:

enter image description here

I generated access token by using below parameters:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
scope:https://management.azure.com/user_impersonation
grant_type:authorization_code
redirect_uri:https://jwt.ms
code:code
client_secret:ClientSecret

enter image description here

By using the access token, I created Web Application Firewall Policies:

PUT https://management.azure.com/subscriptions/SubID/resourceGroups/ruk/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/Policy1?api-version=2023-02-01

{
  "location": "WestUs",
  "properties": {
    "policySettings": {
      "logScrubbing": {
        "state": "Enabled",
        "scrubbingRules": [
          {
            "state": "Enabled",
            "matchVariable": "RequestArgNames",
            "selectorMatchOperator": "Equals",
            "selector": "test"
          },
          {
            "state": "Enabled",
            "matchVariable": "RequestIPAddress",
            "selectorMatchOperator": "EqualsAny"
          }
        ]
      }
    },
    "managedRules": {
      "managedRuleSets": [
        {
          "ruleSetType": "OWASP",
          "ruleSetVersion": "3.2",
          "ruleGroupOverrides": [
            {
              "ruleGroupName": "REQUEST-931-APPLICATION-ATTACK-RFI",
              "rules": [
                {
                  "ruleId": "931120",
                  "state": "Enabled",
                  "action": "Log"
                },
                {
                  "ruleId": "931130",
                  "state": "Disabled",
                  "action": "AnomalyScoring"
                }
              ]
            }
          ]
        }
      ],
      "exclusions": [
        {
          "matchVariable": "RequestArgNames",
          "selectorMatchOperator": "StartsWith",
          "selector": "hello",
          "exclusionManagedRuleSets": [
            {
              "ruleSetType": "OWASP",
              "ruleSetVersion": "3.2",
              "ruleGroups": [
                {
                  "ruleGroupName": "REQUEST-930-APPLICATION-ATTACK-LFI",
                  "rules": [
                    {
                      "ruleId": "930120"
                    }
                  ]
                },
                {
                  "ruleGroupName": "REQUEST-932-APPLICATION-ATTACK-RCE"
                }
              ]
            }
          ]
        },
        {
          "matchVariable": "RequestArgNames",
          "selectorMatchOperator": "EndsWith",
          "selector": "hello",
          "exclusionManagedRuleSets": [
            {
              "ruleSetType": "OWASP",
              "ruleSetVersion": "3.1",
              "ruleGroups": []
            }
          ]
        },
        {
          "matchVariable": "RequestArgNames",
          "selectorMatchOperator": "StartsWith",
          "selector": "test"
        },
        {
          "matchVariable": "RequestArgValues",
          "selectorMatchOperator": "StartsWith",
          "selector": "test"
        }
      ]
    },
    "customRules": [
      {
        "name": "Rule1",
        "priority": 1,
        "ruleType": "MatchRule",
        "action": "Block",
        "matchConditions": [
          {
            "matchVariables": [
              {
                "variableName": "RemoteAddr",
                "selector": null
              }
            ],
            "operator": "IPMatch",
            "matchValues": [
              "192.168.1.0/24",
              "10.0.0.0/24"
            ]
          }
        ]
      },
      {
        "name": "Rule2",
        "priority": 2,
        "ruleType": "MatchRule",
        "matchConditions": [
          {
            "matchVariables": [
              {
                "variableName": "RemoteAddr",
                "selector": null
              }
            ],
            "operator": "IPMatch",
            "matchValues": [
              "192.168.1.0/24"
            ]
          },
          {
            "matchVariables": [
              {
                "variableName": "RequestHeaders",
                "selector": "UserAgent"
              }
            ],
            "operator": "Contains",
            "matchValues": [
              "Windows"
            ]
          }
        ],
        "action": "Block"
      },
      {
        "name": "RateLimitRule3",
        "priority": 3,
        "rateLimitDuration": "OneMin",
        "rateLimitThreshold": 10,
        "ruleType": "RateLimitRule",
        "matchConditions": [
          {
            "matchVariables": [
              {
                "variableName": "RemoteAddr",
                "selector": null
              }
            ],
            "operator": "IPMatch",
            "negationConditon": true,
            "matchValues": [
              "192.168.1.0/24",
              "10.0.0.0/24"
            ]
          }
        ],
        "groupByUserSession": [
          {
            "groupByVariables": [
              {
                "variableName": "ClientAddr"
              }
            ]
          }
        ],
        "action": "Block"
      }
    ]
  }
}

enter image description here

The WAF policy created in the resource group:

enter image description here

Now I tried to update the WAF policy, updating the custom rule name:

PUT https://management.azure.com/subscriptions/SubID/resourceGroups/ruk/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/Policy1?api-version=2023-02-01


"customRules": [
{
"name": "RuleRuk",
"priority": 1,
"ruleType": "MatchRule",
"action": "Block",
"matchConditions": [
{
"matchVariables": [
{
"variableName": "RemoteAddr",
"selector": null
}
],

enter image description here

The custom rule name updated successfully like below:

enter image description here

Note that: You have to pass resource group name in which the WAF policy is present to update the policy.

Upvotes: 0

Related Questions