Share via


az network front-door waf-policy

Note

This reference is part of the front-door extension for the Azure CLI (version 2.57.0 or higher). The extension will automatically install the first time you run an az network front-door waf-policy command. Learn more about extensions.

Manage WebApplication Firewall (WAF) policies.

Commands

Name Description Type Status
az network front-door waf-policy create

Create policy with specified rule set name within a resource group.

Extension GA
az network front-door waf-policy delete

Delete Policy.

Extension GA
az network front-door waf-policy list

List all of the protection policies within a resource group.

Extension GA
az network front-door waf-policy managed-rule-definition

Learn about available managed rule sets.

Extension GA
az network front-door waf-policy managed-rule-definition list

Show a detailed list of available managed rule sets.

Extension GA
az network front-door waf-policy managed-rules

Change and view managed rule sets associated with your WAF policy.

Extension GA
az network front-door waf-policy managed-rules add

Add a managed rule set to a WAF policy.

Extension GA
az network front-door waf-policy managed-rules exclusion

View and alter exclusions on a managed rule set, rule group, or rule within a managed rule set.

Extension GA
az network front-door waf-policy managed-rules exclusion add

Add an exclusion on a managed rule set, rule group, or rule within a managed rule set.

Extension GA
az network front-door waf-policy managed-rules exclusion list

List the exclusions on managed rule set, rule group, or rule within a managed rule set.

Extension GA
az network front-door waf-policy managed-rules exclusion remove

Remove an exclusion on a managed rule set, rule group, or rule within a managed rule set.

Extension GA
az network front-door waf-policy managed-rules list

Show which managed rule sets are applied to a WAF policy.

Extension GA
az network front-door waf-policy managed-rules override

View and alter overrides on managed rules within a managed rule set.

Extension GA
az network front-door waf-policy managed-rules override add

Add an override on a managed rule within a managed rule set.

Extension GA
az network front-door waf-policy managed-rules override list

List the overrides on managed rules within a managed rule set.

Extension GA
az network front-door waf-policy managed-rules override remove

Remove an override on a managed rule within a managed rule set.

Extension GA
az network front-door waf-policy managed-rules remove

Remove a managed rule set from a WAF policy.

Extension GA
az network front-door waf-policy rule

Manage WAF policy custom rules.

Extension GA
az network front-door waf-policy rule create

Create a WAF policy custom rule. Use --defer and add a rule match-condition.

Extension GA
az network front-door waf-policy rule delete

Delete a WAF policy custom rule.

Extension GA
az network front-door waf-policy rule list

List WAF policy custom rules.

Extension GA
az network front-door waf-policy rule match-condition

Alter match-conditions associated with a WAF policy custom rule.

Extension GA
az network front-door waf-policy rule match-condition add

Add a match-condition to a WAF policy custom rule.

Extension GA
az network front-door waf-policy rule match-condition list

Show all match-conditions associated with a WAF policy custom rule.

Extension GA
az network front-door waf-policy rule match-condition remove

Remove a match-condition from a WAF policy custom rule.

Extension GA
az network front-door waf-policy rule show

Get the details of a WAF policy custom rule.

Extension GA
az network front-door waf-policy rule update

Alter the details of a WAF policy custom rule.

Extension GA
az network front-door waf-policy show

Get protection policy with specified name within a resource group.

Extension GA
az network front-door waf-policy update

Update policy with specified rule set name within a resource group.

Extension GA
az network front-door waf-policy wait

Place the CLI in a waiting state until a condition is met.

Extension GA

az network front-door waf-policy create

Create policy with specified rule set name within a resource group.

az network front-door waf-policy create --name
                                        --resource-group
                                        [--custom-block-response-body]
                                        [--custom-block-response-status-code]
                                        [--custom-rules]
                                        [--disabled {0, 1, f, false, n, no, t, true, y, yes}]
                                        [--etag]
                                        [--javascript-challenge-expiration-in-minutes]
                                        [--location]
                                        [--log-scrubbing]
                                        [--managed-rules]
                                        [--mode {Detection, Prevention}]
                                        [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                        [--redirect-url]
                                        [--request-body-check {Disabled, Enabled}]
                                        [--sku {Classic_AzureFrontDoor, Premium_AzureFrontDoor, Standard_AzureFrontDoor}]
                                        [--tags]

Required Parameters

--name --policy-name -n

The name of the Web Application Firewall Policy.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--custom-block-response-body

If the action type is block, customer can override the response body. The body must be specified in base64 encoding.

--custom-block-response-status-code

If the action type is block, customer can override the response status code.

--custom-rules

Describes custom rules inside the policy. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--disabled

Create in a disabled state.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
Default value: False
--etag

Gets a unique read-only string that changes whenever the resource is updated.

--javascript-challenge-expiration-in-minutes --js-expiration

Defines the JavaScript challenge cookie validity lifetime in minutes. Value must be an integer between 5 and 1440 with the default value being 30.

--location -l

Resource location.

--log-scrubbing

Defines rules that scrub sensitive fields in the Web Application Firewall logs. Example: --log-scrubbing "{scrubbing-rules:[{match-variable:QueryStringArgNames,selector-match-operator:EqualsAny}],state:Enabled}, --log-scrubbing scrubbing-rules=[] state=Disabled, --log-scrubbing null Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--managed-rules

Describes managed rules inside the policy. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--mode

Describes if it is in detection mode or prevention mode at policy level.

Accepted values: Detection, Prevention
--no-wait

Do not wait for the long-running operation to finish.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--redirect-url

If action type is redirect, this field represents redirect URL for the client.

--request-body-check

Describes if policy managed rules will inspect the request body content.

Accepted values: Disabled, Enabled
--sku

Name of the pricing tier.

Accepted values: Classic_AzureFrontDoor, Premium_AzureFrontDoor, Standard_AzureFrontDoor
Default value: Premium_AzureFrontDoor
--tags

Resource tags. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network front-door waf-policy delete

Delete Policy.

az network front-door waf-policy delete [--ids]
                                        [--name]
                                        [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                        [--resource-group]
                                        [--subscription]

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name --policy-name -n

The name of the Web Application Firewall Policy.

--no-wait

Do not wait for the long-running operation to finish.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network front-door waf-policy list

List all of the protection policies within a resource group.

az network front-door waf-policy list --resource-group
                                      [--max-items]
                                      [--next-token]

Required Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--max-items

Total number of items to return in the command's output. If the total number of items available is more than the value specified, a token is provided in the command's output. To resume pagination, provide the token value in --next-token argument of a subsequent command.

--next-token

Token to specify where to start paginating. This is the token value from a previously truncated response.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network front-door waf-policy show

Get protection policy with specified name within a resource group.

az network front-door waf-policy show [--ids]
                                      [--name]
                                      [--resource-group]
                                      [--subscription]

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name --policy-name -n

The name of the Web Application Firewall Policy.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network front-door waf-policy update

Update policy with specified rule set name within a resource group.

az network front-door waf-policy update [--add]
                                        [--custom-block-response-body]
                                        [--custom-block-response-status-code]
                                        [--custom-rules]
                                        [--disabled {0, 1, f, false, n, no, t, true, y, yes}]
                                        [--etag]
                                        [--force-string {0, 1, f, false, n, no, t, true, y, yes}]
                                        [--ids]
                                        [--javascript-challenge-expiration-in-minutes]
                                        [--location]
                                        [--log-scrubbing]
                                        [--managed-rules]
                                        [--mode {Detection, Prevention}]
                                        [--name]
                                        [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                        [--redirect-url]
                                        [--remove]
                                        [--request-body-check {Disabled, Enabled}]
                                        [--resource-group]
                                        [--set]
                                        [--sku {Classic_AzureFrontDoor, Premium_AzureFrontDoor, Standard_AzureFrontDoor}]
                                        [--subscription]
                                        [--tags]

Examples

update log scrubbing

az network front-door waf-policy update -g rg -n n1 --log-scrubbing "{scrubbing-rules:[{match-variable:QueryStringArgNames,selector-match-operator:EqualsAny}],state:Enabled}"
az network front-door waf-policy update -g rg -n n1 --log-scrubbing scrubbing-rules[1]="{match-variable:RequestUri,selector-match-operator:Equals}"
az network front-door waf-policy update -g rg -n n1 --log-scrubbing "{scrubbing-rules:[{match-variable:RequestBodyJsonArgNames,selector-match-operator:EqualsAny}],state:Enabled}" scrubbing-rules[1]="{match-variable:RequestUri,selector-match-operator:EqualsAny}"

Optional Parameters

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--custom-block-response-body

If the action type is block, customer can override the response body. The body must be specified in base64 encoding.

--custom-block-response-status-code

If the action type is block, customer can override the response status code.

--custom-rules

Describes custom rules inside the policy. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--disabled

Create in a disabled state.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
Default value: False
--etag

Gets a unique read-only string that changes whenever the resource is updated.

--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--javascript-challenge-expiration-in-minutes --js-expiration

Defines the JavaScript challenge cookie validity lifetime in minutes. Value must be an integer between 5 and 1440 with the default value being 30.

--location -l

Resource location.

--log-scrubbing

Defines rules that scrub sensitive fields in the Web Application Firewall logs. Example: --log-scrubbing "{scrubbing-rules:[{match-variable:QueryStringArgNames,selector-match-operator:EqualsAny}],state:Enabled}, --log-scrubbing scrubbing-rules=[] state=Disabled, --log-scrubbing null Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--managed-rules

Describes managed rules inside the policy. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--mode

Describes if it is in detection mode or prevention mode at policy level.

Accepted values: Detection, Prevention
--name --policy-name -n

The name of the Web Application Firewall Policy.

--no-wait

Do not wait for the long-running operation to finish.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--redirect-url

If action type is redirect, this field represents redirect URL for the client.

--remove

Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.

--request-body-check

Describes if policy managed rules will inspect the request body content.

Accepted values: Disabled, Enabled
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.

--sku

Name of the pricing tier.

Accepted values: Classic_AzureFrontDoor, Premium_AzureFrontDoor, Standard_AzureFrontDoor
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Resource tags. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network front-door waf-policy wait

Place the CLI in a waiting state until a condition is met.

az network front-door waf-policy wait [--created]
                                      [--custom]
                                      [--deleted]
                                      [--exists]
                                      [--ids]
                                      [--interval]
                                      [--name]
                                      [--resource-group]
                                      [--subscription]
                                      [--timeout]
                                      [--updated]

Optional Parameters

--created

Wait until created with 'provisioningState' at 'Succeeded'.

Default value: False
--custom

Wait until the condition satisfies a custom JMESPath query. E.g. provisioningState!='InProgress', instanceView.statuses[?code=='PowerState/running'].

--deleted

Wait until deleted.

Default value: False
--exists

Wait until the resource exists.

Default value: False
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--interval

Polling interval in seconds.

Default value: 30
--name --policy-name -n

The name of the Web Application Firewall Policy.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--timeout

Maximum wait in seconds.

Default value: 3600
--updated

Wait until updated with provisioningState at 'Succeeded'.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.