![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 62%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
655 questions
Hello @Chris ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know if it is possible to have WAF policies running different versions of the OWASP rules i.e. one WAF policy using 3.1 and one using 3.2 and whether it would override all policies.
Azure Web Application Firewall (WAF) policy can be associated to an application gateway (global), a listener (per-site), or a path-based rule (per-URI) for them to take effect. It can be associated with any combination of application gateways, listeners, and path-based rules. So there are 3 types of WAF policy associations:
- Global WAF policy : When you associate a WAF policy globally, every site behind your Application Gateway WAF is protected with the same managed rules, custom rules, exclusions, and any other configured settings.
- Per-site WAF policy : With per-site WAF policies, you can protect multiple sites with differing security needs behind a single WAF by using per-site policies.
- Per-URI policy : For even more customization down to the URI level, you can associate a WAF policy with a path-based rule.
By default, with WAF policies, more specific policies override less specific ones. This means a per-URI policy on a URL path map overrides any per-site or global WAF policy above it. If there's a global policy, and a per-site policy (a WAF policy associated with a listener), then the per-site policy overrides the global WAF policy for that listener. Other listeners without their own policies will only be affected by the global WAF policy.
Refer : https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/policy-overview
https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/per-site-policies
So to answer your question, yes it is possible to have WAF policies running different versions of the OWASP rules i.e. one WAF policy using 3.1 and one using 3.2. A particular policy will only override another if it is more specific than the other policies.
For example: You have 2 sites - abc.com and xyz.com behind your Application gateway WAF v2 and you have a policy with OWASP rules version 3.1 associated to the whole application gateway and there is another WAF policy with OWASP rules version 3.2 associated with the abc.com listener, then your site abc.com will use CRS 3.2 and xyz.com will use CRS 3.1.
NOTE: Because CRS 3.2 runs on the new Azure WAF engine, you can't downgrade to CRS 3.1 or earlier. If you need to downgrade, you need to contact Azure Support.
So, for testing of the new core rule set 3.2, it would be better to apply the WAF policy to a single site or URI path as it will not affect the whole application gateway.
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.