Azure
Set-AzApplicationGatewayWebApplicationFirewallConfiguration PowerShell command not working as documented
Description
I'm building Az Application Gateway WAF's via Powershell and I'm attempting to save the configuration with Set-AzApplicationGatewayWebApplicationFirewallConfiguration, but the -RuleSetVersion parameter won't set to a value other than 3.0 and -DisabledRuleGroups won't properly set New-AzApplicationGatewayFirewallDisabledRuleGroupConfig objects on the gateway. These parameters seem to work ok via New-AzApplicationGatewayWebApplicationFirewallConfiguration, but I want to apply to an existing application gateway.
Issue script & Debug output
Too much sensitive info.
Environment data
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.19041.1682
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.1682
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Module versions
> Get-Module Az*
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Script 2.7.5 Az.Accounts {Add-AzEnvironment, Clear-AzContext, Clear-AzDefault, Connect-AzAccount...}
Script 4.16.0 Az.Network {Add-AzApplicationGatewayAuthenticationCertificate, Add-AzApplicationGatewayBackendAddressPool, Add-AzApplicationGatewayBackendHttpSetting, Add-AzApplicationGatewayCustomError...}
Error output
> Resolve-AzError
DEBUG: 11:06:54 AM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 11:06:54 AM - using account id 'xxx'...
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release. Please change any scripts that use this alias to use
`Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other
information on breaking changes in Azure PowerShell.
HistoryId: 2
Message : Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more
information.
StackTrace : at System.Reflection.RuntimeModule.GetTypes(RuntimeModule module)
at System.Reflection.Assembly.GetTypes()
at Microsoft.PowerShell.Commands.AddTypeCommand.LoadAssemblyFromPathOrName(List`1 generatedTypes)
at Microsoft.PowerShell.Commands.AddTypeCommand.EndProcessing()
at System.Management.Automation.CommandProcessorBase.Complete()
Exception : System.Reflection.ReflectionTypeLoadException
InvocationInfo : {Add-Type}
Line : Add-Type -Path $_.FullName -ErrorAction Ignore | Out-Null
Position : char:21
+ ... Add-Type -Path $_.FullName -ErrorAction Ignore | Out-N ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId : 2
The Azure PowerShell team is listening, please let us know how we are doing: https://aka.ms/azpssurvey?Q_CHL=ERROR.
DEBUG: AzureQoSEvent: Module: Az.Accounts:2.7.5; CommandName: Resolve-AzError; PSVersion: 5.1.19041.1682; IsSuccess:
True; Duration: 00:00:00.0459511
DEBUG: Finish sending metric.
DEBUG: 11:06:54 AM - ResolveError end processing.
Adding a snippet of my script `$941120 = New-AzApplicationGatewayFirewallDisabledRuleGroupConfig -RuleGroupName "REQUEST-941-APPLICATION-ATTACK-XSS" -Rules 941120
$AppGw = Add-AzApplicationGatewayUrlPathMapConfig -ApplicationGateway $AppGw -Name $routingRule -DefaultBackendAddressPool $pool -PathRules $SecTest_test_dev -DefaultBackendHttpSettings $SecTest_HTTP_Settings $AppGw.FirewallPolicy = $firewallPolicy Set-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $true -FirewallMode Prevention -RuleSetVersion "3.1" -RuleSetType "OWASP" -DisabledRuleGroups $941120`
Thank you for your feedback. This has been routed to the support team for assistance.
![msftbot[bot] avatar](https://avatars.githubusercontent.com/in/26612?v=4 "Published by a pub.dev verified publisher"){kind=small}
@ACountyMike Apologies for the late reply. Thanks for reaching out to us and reporting this issue. We are looking into this issue and we will provide an update.
@ACountyMike Could you please try with the most recent version (4.19.0) version of the Az.Network module and check if that helps ? I was running the below command in my box and it had worked.
$MyRules=New-AzApplicationGatewayFirewallDisabledRuleGroupConfig -RuleGroupName REQUEST-911-METHOD-ENFORCEMENT -Rules 911011,911012
Set-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $gw -Enabled $true -FirewallMode Detection -RuleSetVersion 3.0 -RuleSetType OWASP -DisabledRuleGroups $MyRules
Set-AzApplicationGateway -ApplicationGateway $gw
@ACountyMike I wanted to do quick follow-up to check if you had a chance to look at my above comment. Please let us know if you have any queries on this. Awaiting your reply.
@navba-MSFT Parts of this appear to work, but I have trouble validating the configuration. If I set the firewall up the way we are both doing it and use PowerShell to get the configuration via Get-AzApplicationGatewayWebApplicationFirewallConfiguration then what is returned is an object that has the right ruleset version and DisabledRuleGroupsText that match the disabled rules, but the Azure web user interface does not reflect what I have set or the results that I've queried for. With the configuration mismatch, I can't say that it's working.
@ACountyMike Thanks for getting back. I am putting this all together now since I am not able to reproduce this issue. The output I received and the setting I have on the Azure Web UI ( Azure portal) matches.
I ran the below commands first to set the new rules:
$AppGW = Get-AzApplicationGateway -Name "ApplicationGateway01" -ResourceGroupName "ResourceGroup01"
$MyRules=New-AzApplicationGatewayFirewallDisabledRuleGroupConfig -RuleGroupName REQUEST-911-METHOD-ENFORCEMENT -Rules 911100
Set-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGW -Enabled $true -FirewallMode Detection -RuleSetVersion 3.2 -RuleSetType OWASP -DisabledRuleGroups $MyRules
Set-AzApplicationGateway -ApplicationGateway $AppGW
Then I ran the below commands to fetch the firewall configuration details:
$AppGW = Get-AzApplicationGateway -Name "ApplicationGateway01" -ResourceGroupName "ResourceGroup01" $FirewallConfig = Get-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGW $FirewallConfig
While I ran the above commands, I got the below output which matched exactly what I had in Azure Portal. Hope this helps.
Enabled : True FirewallMode : Detection RuleSetType : OWASP RuleSetVersion : 3.2 DisabledRuleGroups : {REQUEST-911-METHOD-ENFORCEMENT} RequestBodyCheck : True MaxRequestBodySizeInKb : 128 FileUploadLimitInMb : 100 Exclusions : DisabledRuleGroupsText : [ { "RuleGroupName": "REQUEST-911-METHOD-ENFORCEMENT", "Rules": [ 911100 ] } ] ExclusionsText : null
I'm not sure, I haven't seen the PowerShell I've applied reflected properly in the UI yet. It might be that I'm applying something incorrectly. I will test more and keep this issue updated. Thank you.
It looks like I was leaving out the last step of Set-AzApplicationGateway -ApplicationGateway $AppGw, but adding it to my script to configure the WAF throws an error that says "WebApplicationFirewallConfiguration cannot be changed when there is a WAF Policy
@ACountyMike The similar issue has been reported here a couple of weeks back. I am pasting the comment from that thread as is.
Thanks for raising this issue. We are aware of the API issue that was recently introduced. We are working on rolling out the fix. The issue can occur when you use API to update the config to policy. If you're using migration script or Firewall Manager integration, you will also encounter this issue.
Meanwhile, the workaround is to nullify the WAF config object post upgrade using below script. Thanks for your patience.
$SubscriptionId = ''
$ResourceGroupName = ''
$GatewayName = ''
Connect-AzAccount -Subscription $SubscriptionId
$AppGw = Get-AzApplicationGateway -ResourceGroupName $ResourceGroupName -Name $GatewayName
$AppGw.webApplicationFirewallConfiguration = $null
Set-AzApplicationGateway -ApplicationGateway $AppGw
So I would recommend you to run the above script first to nullify the WAF config and then update the configuration using the script I shared above. Hope this helps.
Unfortunately, $AppGw.webApplicationFirewallConfiguration = $null completely cancels out my command of Set-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $true -FirewallMode Prevention -RuleSetVersion 3.1 -RuleSetType OWASP -DisabledRuleGroups $941120,$942110. So, this can't be a fix.
@ACountyMike I guess there is some confusion. I am pasting the PS script in order so that you are clear on how to run the script.
Firstly you need to run the script to nullify the WAF config:
$SubscriptionId = ''
$ResourceGroupName = ''
$GatewayName = ''
Connect-AzAccount -Subscription $SubscriptionId
$AppGw = Get-AzApplicationGateway -ResourceGroupName $ResourceGroupName -Name $GatewayName
$AppGw.webApplicationFirewallConfiguration = $null
Set-AzApplicationGateway -ApplicationGateway $AppGw
Then run the below commands to set the new rules:
$AppGW = Get-AzApplicationGateway -Name "ApplicationGateway01" -ResourceGroupName "ResourceGroup01"
$MyRules=New-AzApplicationGatewayFirewallDisabledRuleGroupConfig -RuleGroupName REQUEST-911-METHOD-ENFORCEMENT -Rules 911100
Set-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGW -Enabled $true -FirewallMode Detection -RuleSetVersion 3.2 -RuleSetType OWASP -DisabledRuleGroups $MyRules
Set-AzApplicationGateway -ApplicationGateway $AppGW
Wait for sometime for the changes to reflect. Then to fetch the firewall configuration details, run the below PS script:
$AppGW = Get-AzApplicationGateway -Name "ApplicationGateway01" -ResourceGroupName "ResourceGroup01"
$FirewallConfig = Get-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGW
$FirewallConfig
Sample code here. Hope this helps.
I tried this workaround, I set the firewall configuration to null and ran the command to set the app gateway. If I run the command to get the gateway again, the object I get back has a blank value for WebApplicationFirewallConfiguration :, but a waf policy remains associated with the gateway in the ui and trying to set a new configuration with Set-AzApplicationGatewayWebApplicationFirewallConfiguration fails with Set-AzApplicationGateway: WebApplicationFirewallConfiguration cannot be changed when there is a WAF Policy. I'm not sure where to go from here.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @appgwsuppgithub.
Issue Details
Description
I'm building Az Application Gateway WAF's via Powershell and I'm attempting to save the configuration with Set-AzApplicationGatewayWebApplicationFirewallConfiguration, but the -RuleSetVersion parameter won't set to a value other than 3.0 and -DisabledRuleGroups won't properly set New-AzApplicationGatewayFirewallDisabledRuleGroupConfig objects on the gateway. These parameters seem to work ok via New-AzApplicationGatewayWebApplicationFirewallConfiguration, but I want to apply to an existing application gateway.
Issue script & Debug output
Too much sensitive info.
Environment data
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.19041.1682
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.1682
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Module versions
> Get-Module Az*
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Script 2.7.5 Az.Accounts {Add-AzEnvironment, Clear-AzContext, Clear-AzDefault, Connect-AzAccount...}
Script 4.16.0 Az.Network {Add-AzApplicationGatewayAuthenticationCertificate, Add-AzApplicationGatewayBackendAddressPool, Add-AzApplicationGatewayBackendHttpSetting, Add-AzApplicationGatewayCustomError...}
Error output
> Resolve-AzError
DEBUG: 11:06:54 AM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 11:06:54 AM - using account id 'xxx'...
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release. Please change any scripts that use this alias to use
`Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other
information on breaking changes in Azure PowerShell.
HistoryId: 2
Message : Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more
information.
StackTrace : at System.Reflection.RuntimeModule.GetTypes(RuntimeModule module)
at System.Reflection.Assembly.GetTypes()
at Microsoft.PowerShell.Commands.AddTypeCommand.LoadAssemblyFromPathOrName(List`1 generatedTypes)
at Microsoft.PowerShell.Commands.AddTypeCommand.EndProcessing()
at System.Management.Automation.CommandProcessorBase.Complete()
Exception : System.Reflection.ReflectionTypeLoadException
InvocationInfo : {Add-Type}
Line : Add-Type -Path $_.FullName -ErrorAction Ignore | Out-Null
Position : char:21
+ ... Add-Type -Path $_.FullName -ErrorAction Ignore | Out-N ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId : 2
The Azure PowerShell team is listening, please let us know how we are doing: https://aka.ms/azpssurvey?Q_CHL=ERROR.
DEBUG: AzureQoSEvent: Module: Az.Accounts:2.7.5; CommandName: Resolve-AzError; PSVersion: 5.1.19041.1682; IsSuccess:
True; Duration: 00:00:00.0459511
DEBUG: Finish sending metric.
DEBUG: 11:06:54 AM - ResolveError end processing.
| Author: | ACountyMike |
|---|---|
| Assignees: | - |
| Labels: |
|
| Milestone: | - |
@ACountyMike Thanks for getting back. I will involve the Service Team to look into this issue and assist you further.
@appgwsuppgithub Could you please look into this issue and assist when you get a chance ? Thanks in advance.
Adding @surmb for visibility