Create Front-door Premium WAF Policy using Rest API call fails for Microsoft_DefaultRuleSet_2.1

Ravalia Krutika Harishbhai 40 Reputation points
2023-11-03T07:02:56.2+00:00

Hi team!

I am trying to create a Web Application Firewall for Front Door Premium Tier using REST API, It works with 1.x versions of Rule Set, but it fails when Managed Rule is set to 2.x version (Eg. Microsoft_DefaultRuleSet 2.1) with error "This rule set action value is not supported.\”. Using same configurations, it is possible via GUI.

Currently I am using api-version=2022-05-01, not sure if I should be using any other version. Kindly clarify on how to set Microsoft_DefaultRuleSet_2.1 for Premium frontdoor waf.

Here is the curl that I am using:

curl --location --request PUT 'https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/{policyName}?api-version=2022-05-01' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {token} \
--data '{
  "location": "global",
  "sku": {
    "name": "Premium_AzureFrontDoor"
  },
  "properties": {
    "policySettings": {
      "enabledState": "Enabled",
      "mode": "Prevention",
      "redirectUrl": null,
      "customBlockResponseStatusCode": 403,
      "customBlockResponseBody": null
    },
    "customRules": {
      "rules": []
    },
    "managedRules": {
      "managedRuleSets": [
        {
            "ruleSetType": "Microsoft_DefaultRuleSet",
            "ruleSetVersion": "2.1",
            "ruleGroupOverrides": []
        }
      ]
    },
    "frontendEndpointLinks": [],
    "resourceState": "Enabled",
    "provisioningState": "Succeeded"
  }
}'
Azure Web Application Firewall
Accepted answer
  1. KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee
    2023-11-03T08:35:40.04+00:00

    @Ravalia Krutika Harishbhai

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    With Managed Rule 2.x versions, you have to define an additional property called, "ruleSetAction".

    This is also visible in the UI/Portal.

    For 2.x:

    • User's image

    For 1.x:

    • User's image

    So, basically, your "managedRuleSets" property becomes,

          "managedRuleSets": [
        {
            "ruleSetType": "Microsoft_DefaultRuleSet",
            "ruleSetVersion": "2.1",
			"ruleSetAction" : "Block",
            "ruleGroupOverrides": []
        }
      ]

    The supported values are

    • Block
    • Log
    • Redirect

    Also,

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest