azure-cli-extensions icon indicating copy to clipboard operation
azure-cli-extensions copied to clipboard
verified publisher icon Azure

Issue adding default ruleset Microsoft_DefaultRuleSet 2.1 to WAF policy for Azure Front Door Premium

Open hgjura opened this issue 4 months ago • 2 comments

Describe the bug

I am trying to create a WAF Policy and assign it the Microsoft_DefaultRuleSet 2.1. I am using Azure CLI 2.76,0

I am getting this error: "(BadRequest) WebApplicationFirewallPolicy validation failed. More information "This rule set action value is not supported.". Code: BadRequest"

I have tried way too many options and it seems the only way to get this working is by creating an ARM file and deploy it as ARM. Which I don't want to do since, that is why the CLI is there for.

Also, this fails after the WAF has ben created and it happens when it tries to add the default ruleset. If I do this manually in the portal works just fine.

Thanks.

    #  "azure-cli": "2.76.0"

    #!/bin/bash
    
    resource_group="shared-rg"
    policy_name="wafpolicy01"
    mode="Prevention"
    DEFAULT_RULESET_TYPE="Microsoft_DefaultRuleSet"
    DEFAULT_RULESET_VERSION="2.1"
    DEFAULT_SKU="Premium_AzureFrontDoor"


    echo "Creating WAF policy with Microsoft Default Rule Set ..."
    
    az network front-door waf-policy create \
        --resource-group "$resource_group" \
        --name "$policy_name" \
        --sku "$DEFAULT_SKU" \
        --mode "$mode" \
        --only-show-errors \
        --output none

    echo "Adding Microsoft Default Rule Set ..."

    az network front-door waf-policy managed-rules add \
        --resource-group "$resource_group" \
        --policy-name "$policy_name" \
        --type "$DEFAULT_RULESET_TYPE" \
        --version "$DEFAULT_RULESET_VERSION" \
        --only-show-errors \
        --output none

Related command

az network front-door waf-policy managed-rules add

Errors

(BadRequest) WebApplicationFirewallPolicy validation failed. More information "This rule set action value is not supported.". Code: BadRequest"

Issue script & Debug output

[INFO] Adding Microsoft Default Rule Set v2.1... cli.knack.cli: Command arguments: ['network', 'front-door', 'waf-policy', 'managed-rules', 'add', '--resource-group', 'shared-rg', '--policy-name', 'testwafpolicy2', '--type', 'Microsoft_DefaultRuleSet', '--version', '2.1', '--debug'] cli.knack.cli: init debug log: Enable color in terminal. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x102fef2e0>, <function OutputProducer.on_global_arguments at 0x1031b8360>, <function CLIQuery.on_global_arguments at 0x1031d5b20>] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: Modules found from index for 'network': ['azure.cli.command_modules.network', 'azure.cli.command_modules.privatedns', 'azext_front_door'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: network 0.218 120 368 cli.azure.cli.core: privatedns 0.005 14 60 cli.azure.cli.core: Total (2) 0.223 134 428 cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next'] cli.azure.cli.core: Loading extensions: cli.azure.cli.core: Name Load Time Groups Commands Directory cli.azure.cli.core: front-door 0.014 19 77 /Users/hgjura/.azure/cliextensions/front-door cli.azure.cli.core: Total (1) 0.014 19 77 cli.azure.cli.core: Loaded 151 groups, 505 commands. cli.azure.cli.core: Found a match in the command table. cli.azure.cli.core: Raw command : network front-door waf-policy managed-rules add cli.azure.cli.core: Command table: network front-door waf-policy managed-rules add cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x104617c40>] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/Users/hgjura/.azure/commands/2025-08-10.16-13-13.network_front-door_waf-policy_managed-rules_add.99301.log'. az_command_data_logger: command args: network front-door waf-policy managed-rules add --resource-group {} --policy-name {} --type {} --version {} --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x104664860>] cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x104667100>, <function register_cache_arguments..add_cache_arguments at 0x104667240>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x1046672e0>] cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x1031b8400>, <function CLIQuery.handle_query_parameter at 0x1031d5bc0>, <function register_ids_argument..parse_ids_arguments at 0x1046671a0>] az_command_data_logger: extension name: front-door az_command_data_logger: extension version: 1.3.0 cli.azure.cli.core.commands.client_factory: Getting management service client client_type=FrontDoorManagementClient cli.azure.cli.core.auth.persistence: build_persistence: location='/Users/hgjura/.azure/msal_token_cache.json', encrypt=False cli.azure.cli.core.auth.binary_cache: load: /Users/hgjura/.azure/msal_http_cache.bin urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/f0b13894-da42-4e32-a1fd-5b22ebdc47f4 msal.authority: openid_config("https://login.microsoftonline.com/f0b13894-da42-4e32-a1fd-5b22ebdc47f4/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/f0b13894-da42-4e32-a1fd-5b22ebdc47f4/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/f0b13894-da42-4e32-a1fd-5b22ebdc47f4/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/f0b13894-da42-4e32-a1fd-5b22ebdc47f4/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/f0b13894-da42-4e32-a1fd-5b22ebdc47f4/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/f0b13894-da42-4e32-a1fd-5b22ebdc47f4/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/f0b13894-da42-4e32-a1fd-5b22ebdc47f4/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/f0b13894-da42-4e32-a1fd-5b22ebdc47f4/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'} msal.application: Broker enabled? None cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token_info: scopes=('https://management.core.windows.net//.default',), options={} cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://management.core.windows.net//.default'], claims_challenge=None, kwargs={} msal.application: Cache hit an AT msal.telemetry: Generate or reuse correlation_id: d0e560da-58fe-4dfd-a06b-33f9f09176e8 cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/9f67224d-0a46-439a-bb56-f7f7acdee1e3/resourceGroups/shared-rg/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/testwafpolicy2?api-version=2024-02-01' cli.azure.cli.core.sdk.policies: Request method: 'GET' cli.azure.cli.core.sdk.policies: Request headers: cli.azure.cli.core.sdk.policies: 'Accept': 'application/json' cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '7141b2ca-7626-11f0-893a-5219b79f62af' cli.azure.cli.core.sdk.policies: 'CommandName': 'network front-door waf-policy managed-rules add' cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--resource-group --policy-name --type --version --debug' cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.76.0 (HOMEBREW) azsdk-python-core/1.35.0 Python/3.12.11 (macOS-15.6-arm64-arm-64bit)' cli.azure.cli.core.sdk.policies: 'Authorization': '' cli.azure.cli.core.sdk.policies: Request body: cli.azure.cli.core.sdk.policies: This request has no body urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443 urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/9f67224d-0a46-439a-bb56-f7f7acdee1e3/resourceGroups/shared-rg/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/testwafpolicy2?api-version=2024-02-01 HTTP/1.1" 200 763 cli.azure.cli.core.sdk.policies: Response status: 200 cli.azure.cli.core.sdk.policies: Response headers: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache' cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache' cli.azure.cli.core.sdk.policies: 'Content-Length': '763' cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8' cli.azure.cli.core.sdk.policies: 'Expires': '-1' cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains' cli.azure.cli.core.sdk.policies: 'x-ms-request-id': 'c31a6fef-c41a-4209-b4af-ae7c30ce4369' cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '7141b2ca-7626-11f0-893a-5219b79f62af' cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '249' cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-reads': '3749' cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': 'c28fca01-3284-425e-8ae3-dcba80c2e32c' cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'CANADACENTRAL:20250810T201313Z:c28fca01-3284-425e-8ae3-dcba80c2e32c' cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff' cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE' cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 12E62E8F2C2444A7B733BD41A6C893F2 Ref B: YQ1AA2090602031 Ref C: 2025-08-10T20:13:13Z' cli.azure.cli.core.sdk.policies: 'Date': 'Sun, 10 Aug 2025 20:13:12 GMT' cli.azure.cli.core.sdk.policies: Response content: cli.azure.cli.core.sdk.policies: {"id":"/subscriptions/9f67224d-0a46-439a-bb56-f7f7acdee1e3/resourcegroups/shared-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testwafpolicy2","type":"Microsoft.Network/frontdoorwebapplicationfirewallpolicies","name":"testwafpolicy2","location":"Global","tags":{},"sku":{"name":"Premium_AzureFrontDoor"},"properties":{"policySettings":{"enabledState":"Enabled","mode":"Prevention","redirectUrl":null,"customBlockResponseStatusCode":null,"customBlockResponseBody":null,"requestBodyCheck":"Enabled","javascriptChallengeExpirationInMinutes":30,"logScrubbing":null},"customRules":{"rules":[]},"managedRules":{"managedRuleSets":[]},"frontendEndpointLinks":[],"securityPolicyLinks":[],"resourceState":"Enabled","provisioningState":"Succeeded"}} cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/9f67224d-0a46-439a-bb56-f7f7acdee1e3/resourceGroups/shared-rg/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/testwafpolicy2?api-version=2024-02-01' cli.azure.cli.core.sdk.policies: Request method: 'PUT' cli.azure.cli.core.sdk.policies: Request headers: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json' cli.azure.cli.core.sdk.policies: 'Content-Length': '378' cli.azure.cli.core.sdk.policies: 'Accept': 'application/json' cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '7141b2ca-7626-11f0-893a-5219b79f62af' cli.azure.cli.core.sdk.policies: 'CommandName': 'network front-door waf-policy managed-rules add' cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--resource-group --policy-name --type --version --debug' cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.76.0 (HOMEBREW) azsdk-python-core/1.35.0 Python/3.12.11 (macOS-15.6-arm64-arm-64bit)' cli.azure.cli.core.sdk.policies: 'Authorization': '' cli.azure.cli.core.sdk.policies: Request body: cli.azure.cli.core.sdk.policies: {"location": "Global", "tags": {}, "sku": {"name": "Premium_AzureFrontDoor"}, "properties": {"policySettings": {"enabledState": "Enabled", "mode": "Prevention", "requestBodyCheck": "Enabled", "javascriptChallengeExpirationInMinutes": 30}, "customRules": {"rules": []}, "managedRules": {"managedRuleSets": [{"ruleSetType": "Microsoft_DefaultRuleSet", "ruleSetVersion": "2.1"}]}}} urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/9f67224d-0a46-439a-bb56-f7f7acdee1e3/resourceGroups/shared-rg/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/testwafpolicy2?api-version=2024-02-01 HTTP/1.1" 400 178 cli.azure.cli.core.sdk.policies: Response status: 400 cli.azure.cli.core.sdk.policies: Response headers: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache' cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache' cli.azure.cli.core.sdk.policies: 'Content-Length': '178' cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json' cli.azure.cli.core.sdk.policies: 'Expires': '-1' cli.azure.cli.core.sdk.policies: 'x-ms-operation-identifier': 'tenantId=f0b13894-da42-4e32-a1fd-5b22ebdc47f4,objectId=35105e9c-c883-4b30-a51b-f6c135afffa1/canadacentral/139bee86-c583-4c07-aba9-1af65e7ac840' cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains' cli.azure.cli.core.sdk.policies: 'x-ms-request-id': 'a5044987-2856-497f-8454-04bcaa2d0465' cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '7141b2ca-7626-11f0-893a-5219b79f62af' cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '199' cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-writes': '2999' cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '443b74a9-7b9f-4985-ab60-5cc0afc38f1f' cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'CANADACENTRAL:20250810T201313Z:443b74a9-7b9f-4985-ab60-5cc0afc38f1f' cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff' cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE' cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 6FAD3398D2774F5D976B0E104B926C8D Ref B: YQ1AA2090602031 Ref C: 2025-08-10T20:13:13Z' cli.azure.cli.core.sdk.policies: 'Date': 'Sun, 10 Aug 2025 20:13:13 GMT' cli.azure.cli.core.sdk.policies: Response content: cli.azure.cli.core.sdk.policies: { "error": { "code": "BadRequest", "message": "WebApplicationFirewallPolicy validation failed. More information "This rule set action value is not supported."." } } cli.azure.cli.core.azclierror: Traceback (most recent call last): File "/opt/homebrew/Cellar/azure-cli/2.76.0/libexec/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke cmd_result = self.invocation.execute(args) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/homebrew/Cellar/azure-cli/2.76.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 666, in execute raise ex File "/opt/homebrew/Cellar/azure-cli/2.76.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 734, in _run_jobs_serially results.append(self._run_job(expanded_arg, cmd_copy)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/homebrew/Cellar/azure-cli/2.76.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 703, in _run_job result = cmd_copy(params) ^^^^^^^^^^^^^^^^ File "/opt/homebrew/Cellar/azure-cli/2.76.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 336, in call return self.handler(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/homebrew/Cellar/azure-cli/2.76.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/command_operation.py", line 120, in handler return op(**command_args) ^^^^^^^^^^^^^^^^^^ File "/Users/hgjura/.azure/cliextensions/front-door/azext_front_door/custom.py", line 841, in add_azure_managed_rule_set return client.begin_create_or_update(resource_group_name, policy_name, policy) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/homebrew/Cellar/azure-cli/2.76.0/libexec/lib/python3.12/site-packages/azure/core/tracing/decorator.py", line 119, in wrapper_use_tracer return func(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^ File "/Users/hgjura/.azure/cliextensions/front-door/azext_front_door/vendored_sdks/operations/_policies_operations.py", line 624, in begin_create_or_update raw_result = self._create_or_update_initial( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/Users/hgjura/.azure/cliextensions/front-door/azext_front_door/vendored_sdks/operations/_policies_operations.py", line 519, in _create_or_update_initial raise HttpResponseError(response=response, model=error, error_format=ARMErrorFormat) azure.core.exceptions.HttpResponseError: (BadRequest) WebApplicationFirewallPolicy validation failed. More information "This rule set action value is not supported.". Code: BadRequest Message: WebApplicationFirewallPolicy validation failed. More information "This rule set action value is not supported.".

cli.azure.cli.core.azclierror: (BadRequest) WebApplicationFirewallPolicy validation failed. More information "This rule set action value is not supported.". Code: BadRequest Message: WebApplicationFirewallPolicy validation failed. More information "This rule set action value is not supported.". az_command_data_logger: (BadRequest) WebApplicationFirewallPolicy validation failed. More information "This rule set action value is not supported.". Code: BadRequest Message: WebApplicationFirewallPolicy validation failed. More information "This rule set action value is not supported.". cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x104617ec0>] az_command_data_logger: exit code: 1 cli.main: Command ran in 1.055 seconds (init: 0.073, invoke: 0.983) telemetry.main: Begin splitting cli events and extra events, total events: 1 telemetry.client: Accumulated 0 events. Flush the clients. telemetry.main: Finish splitting cli events and extra events, cli events: 1 telemetry.save: Save telemetry record of length 4407 in cache file under /Users/hgjura/.azure/telemetry/20250810161313943 telemetry.main: Begin creating telemetry upload process. telemetry.process: Creating upload process: "/opt/homebrew/Cellar/azure-cli/2.76.0/libexec/bin/python /opt/homebrew/Cellar/azure-cli/2.76.0/libexec/lib/python3.12/site-packages/azure/cli/telemetry/init.py /Users/hgjura/.azure /Users/hgjura/.azure/telemetry/20250810161313943" telemetry.process: Return from creating process 99306 telemetry.main: Finish creating telemetry upload process.

Expected behavior

This should be able to add the default ruleset , in this case 2.1, with no errors.

Environment Summary

azure-cli 2.76.0

Additional context

No response

hgjura avatar Aug 10 '25 20:08 hgjura

Thank you for opening this issue, we will look into it.

yonzhan avatar Aug 10 '25 20:08 yonzhan

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.

microsoft-github-policy-service[bot] avatar Aug 11 '25 00:08 microsoft-github-policy-service[bot]