az network application-gateway waf-policy managed-rule rule-set

Manage managed rule set of managed rules of a WAF policy.


Name Description Type Status
az network application-gateway waf-policy managed-rule rule-set add

Add managed rule set to the WAF policy managed rules. For rule set and rules, please visit:

Core GA
az network application-gateway waf-policy managed-rule rule-set list

List all managed rule set.

Core GA
az network application-gateway waf-policy managed-rule rule-set remove

Remove a managed rule set by rule set group name if rule_group_name is specified. Otherwise, remove all rule set.

Core GA
az network application-gateway waf-policy managed-rule rule-set update

Manage rules of a WAF policy. If --group-name and --rules are provided, override existing rules. If --group-name is provided, clear all rules under a certain rule group. If neither of them are provided, update rule set and clear all rules under itself. For rule set and rules, please visit:

Core GA

az network application-gateway waf-policy managed-rule rule-set add

Add managed rule set to the WAF policy managed rules. For rule set and rules, please visit:

az network application-gateway waf-policy managed-rule rule-set add --policy-name
                                                                    --type {Microsoft_BotManagerRuleSet, OWASP}
                                                                    --version {0.1, 1.0, 1.1, 2.1, 2.2.9, 3.0, 3.1, 3.2}


Disable an attack protection rule

az network application-gateway waf-policy managed-rule rule-set add --policy-name MyPolicy -g MyResourceGroup --type OWASP --version 3.1 --group-name REQUEST-921-PROTOCOL-ATTACK --rule rule-id=921110

Add managed rule set to the WAF policy managed rules (autogenerated)

az network application-gateway waf-policy managed-rule rule-set add --policy-name MyPolicy --resource-group MyResourceGroup --type Microsoft_BotManagerRuleSet --version 0.1

Required Parameters


The name of the web application firewall policy.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.


The type of the web application firewall rule set.

Accepted values: Microsoft_BotManagerRuleSet, OWASP

The version of the web application firewall rule set type. 0.1, 1.0, and 1.1 are used for Microsoft_BotManagerRuleSet.

Accepted values: 0.1, 1.0, 1.1, 2.1, 2.2.9, 3.0, 3.1, 3.2

Optional Parameters


The name of the web application firewall rule set group.


The rule that will be disabled. If none specified, all rules in the group will be disabled. If provided, --group-name must be provided too.

Usage: --rule rule-id=MyID state=MyState action=MyAction sensitivity=MySensitivity Allowed values for sensitivity: High, Medium, Low, None Multiple rules can be specified by using more than one --rule argument.

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az network application-gateway waf-policy managed-rule rule-set list

List all managed rule set.

az network application-gateway waf-policy managed-rule rule-set list --policy-name


List all managed rule set. (autogenerated)

az network application-gateway waf-policy managed-rule rule-set list --policy-name MyPolicy --resource-group MyResourceGroup

Required Parameters


The name of the web application firewall policy.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az network application-gateway waf-policy managed-rule rule-set remove

Remove a managed rule set by rule set group name if rule_group_name is specified. Otherwise, remove all rule set.

az network application-gateway waf-policy managed-rule rule-set remove --policy-name
                                                                       --type {Microsoft_BotManagerRuleSet, OWASP}
                                                                       --version {0.1, 1.0, 1.1, 2.1, 2.2.9, 3.0, 3.1, 3.2}


Remove a managed rule set by rule set group name if rule_group_name is specified. Otherwise, remove all rule set.

az network application-gateway waf-policy managed-rule rule-set remove --policy-name MyPolicy --resource-group MyResourceGroup --type OWASP --version 3.1

Required Parameters


The name of the web application firewall policy.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.


The type of the web application firewall rule set.

Accepted values: Microsoft_BotManagerRuleSet, OWASP

The version of the web application firewall rule set type. 0.1, 1.0, and 1.1 are used for Microsoft_BotManagerRuleSet.

Accepted values: 0.1, 1.0, 1.1, 2.1, 2.2.9, 3.0, 3.1, 3.2

Optional Parameters


The name of the web application firewall rule set group.

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az network application-gateway waf-policy managed-rule rule-set update

Manage rules of a WAF policy. If --group-name and --rules are provided, override existing rules. If --group-name is provided, clear all rules under a certain rule group. If neither of them are provided, update rule set and clear all rules under itself. For rule set and rules, please visit:

az network application-gateway waf-policy managed-rule rule-set update --policy-name
                                                                       --type {Microsoft_BotManagerRuleSet, OWASP}
                                                                       --version {0.1, 1.0, 1.1, 2.1, 2.2.9, 3.0, 3.1, 3.2}


Override rules under rule group EQUEST-921-PROTOCOL-ATTACK

az network application-gateway waf-policy managed-rule rule-set update --policy-name MyPolicy -g MyResourceGroup --type OWASP --version 3.1 --group-name REQUEST-921-PROTOCOL-ATTACK --rule rule-id=921130 --rule rule-id=921160

Update the OWASP protocol version from 3.1 to 3.0 which will clear the old rules

az network application-gateway waf-policy managed-rule rule-set update --policy-name MyPolicy -g MyResourceGroup --type OWASP --version 3.0

Required Parameters


The name of the web application firewall policy.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.


The type of the web application firewall rule set.

Accepted values: Microsoft_BotManagerRuleSet, OWASP

The version of the web application firewall rule set type. 0.1, 1.0, and 1.1 are used for Microsoft_BotManagerRuleSet.

Accepted values: 0.1, 1.0, 1.1, 2.1, 2.2.9, 3.0, 3.1, 3.2

Optional Parameters


The name of the web application firewall rule set group.


The rule that will be disabled. If none specified, all rules in the group will be disabled. If provided, --group-name must be provided too.

Usage: --rule rule-id=MyID state=MyState action=MyAction sensitivity=MySensitivity Allowed values for sensitivity: High, Medium, Low, None Multiple rules can be specified by using more than one --rule argument.

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.