Policies - Create Or Update

Create or update policy with specified rule set name within a resource group.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/{policyName}?api-version=2024-02-01

URI Parameters

Name In Required Type Description
policyName
path True

string

The name of the Web Application Firewall Policy.

resourceGroupName
path True

string

Name of the Resource group within the Azure subscription.

Regex pattern: ^[a-zA-Z0-9_\-\(\)\.]*[^\.]$

subscriptionId
path True

string

The subscription credentials which uniquely identify the Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.

api-version
query True

string

Client API version.

Request Body

Name Type Description
etag

string

Gets a unique read-only string that changes whenever the resource is updated.

location

string

Resource location.

properties.customRules

CustomRuleList

Describes custom rules inside the policy.

properties.managedRules

ManagedRuleSetList

Describes managed rules inside the policy.

properties.policySettings

PolicySettings

Describes settings for the policy.

sku

Sku

The pricing tier of web application firewall policy. Defaults to Classic_AzureFrontDoor if not specified.

tags

object

Resource tags.

Responses

Name Type Description
200 OK

WebApplicationFirewallPolicy

OK. The request has succeeded.

201 Created

WebApplicationFirewallPolicy

Created. The request has been fulfilled and a new protection policy has been created.

202 Accepted

WebApplicationFirewallPolicy

Accepted. The request has been accepted for processing and the operation will complete asynchronously.

Other Status Codes

ErrorResponse

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Creates specific policy

Sample request

PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/Policy1?api-version=2024-02-01

{
  "location": "WestUs",
  "properties": {
    "policySettings": {
      "enabledState": "Enabled",
      "mode": "Prevention",
      "redirectUrl": "http://www.bing.com",
      "customBlockResponseStatusCode": 429,
      "customBlockResponseBody": "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
      "requestBodyCheck": "Disabled",
      "javascriptChallengeExpirationInMinutes": 30,
      "logScrubbing": {
        "state": "Enabled",
        "scrubbingRules": [
          {
            "matchVariable": "RequestIPAddress",
            "selectorMatchOperator": "EqualsAny",
            "selector": null,
            "state": "Enabled"
          }
        ]
      }
    },
    "customRules": {
      "rules": [
        {
          "name": "Rule1",
          "priority": 1,
          "ruleType": "RateLimitRule",
          "rateLimitThreshold": 1000,
          "matchConditions": [
            {
              "matchVariable": "RemoteAddr",
              "operator": "IPMatch",
              "matchValue": [
                "192.168.1.0/24",
                "10.0.0.0/24"
              ]
            }
          ],
          "action": "Block"
        },
        {
          "name": "Rule2",
          "priority": 2,
          "ruleType": "MatchRule",
          "matchConditions": [
            {
              "matchVariable": "RemoteAddr",
              "operator": "GeoMatch",
              "matchValue": [
                "CH"
              ]
            },
            {
              "matchVariable": "RequestHeader",
              "operator": "Contains",
              "selector": "UserAgent",
              "matchValue": [
                "windows"
              ],
              "transforms": [
                "Lowercase"
              ]
            }
          ],
          "action": "Block"
        }
      ]
    },
    "managedRules": {
      "managedRuleSets": [
        {
          "ruleSetType": "DefaultRuleSet",
          "ruleSetVersion": "1.0",
          "ruleSetAction": "Block",
          "exclusions": [
            {
              "matchVariable": "RequestHeaderNames",
              "selectorMatchOperator": "Equals",
              "selector": "User-Agent"
            }
          ],
          "ruleGroupOverrides": [
            {
              "ruleGroupName": "SQLI",
              "exclusions": [
                {
                  "matchVariable": "RequestCookieNames",
                  "selectorMatchOperator": "StartsWith",
                  "selector": "token"
                }
              ],
              "rules": [
                {
                  "ruleId": "942100",
                  "enabledState": "Enabled",
                  "action": "Redirect",
                  "exclusions": [
                    {
                      "matchVariable": "QueryStringArgNames",
                      "selectorMatchOperator": "Equals",
                      "selector": "query"
                    }
                  ]
                },
                {
                  "ruleId": "942110",
                  "enabledState": "Disabled"
                }
              ]
            }
          ]
        }
      ]
    }
  },
  "sku": {
    "name": "Premium_AzureFrontDoor"
  }
}

Sample response

{
  "name": "Policy1",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/Policy1",
  "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
  "tags": {
    "key1": "value1",
    "key2": "value2"
  },
  "location": "WestUs",
  "properties": {
    "resourceState": "Enabled",
    "provisioningState": "Succeeded",
    "policySettings": {
      "enabledState": "Enabled",
      "mode": "Prevention",
      "redirectUrl": "http://www.bing.com",
      "customBlockResponseStatusCode": 429,
      "customBlockResponseBody": "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
      "requestBodyCheck": "Disabled",
      "javascriptChallengeExpirationInMinutes": 30,
      "logScrubbing": {
        "state": "Enabled",
        "scrubbingRules": [
          {
            "matchVariable": "RequestIPAddress",
            "selectorMatchOperator": "EqualsAny",
            "selector": null,
            "state": "Enabled"
          }
        ]
      }
    },
    "customRules": {
      "rules": [
        {
          "name": "Rule1",
          "priority": 1,
          "enabledState": "Enabled",
          "ruleType": "RateLimitRule",
          "rateLimitDurationInMinutes": 0,
          "rateLimitThreshold": 1000,
          "matchConditions": [
            {
              "matchVariable": "RemoteAddr",
              "selector": null,
              "operator": "IPMatch",
              "negateCondition": false,
              "matchValue": [
                "192.168.1.0/24",
                "10.0.0.0/24"
              ],
              "transforms": []
            }
          ],
          "action": "Block"
        },
        {
          "name": "Rule2",
          "priority": 2,
          "enabledState": "Enabled",
          "ruleType": "MatchRule",
          "rateLimitDurationInMinutes": 0,
          "rateLimitThreshold": 0,
          "matchConditions": [
            {
              "matchVariable": "RemoteAddr",
              "selector": null,
              "operator": "GeoMatch",
              "negateCondition": false,
              "matchValue": [
                "CH"
              ]
            },
            {
              "matchVariable": "RequestHeader",
              "selector": "UserAgent",
              "operator": "Contains",
              "negateCondition": false,
              "matchValue": [
                "windows"
              ],
              "transforms": [
                "Lowercase"
              ]
            }
          ],
          "action": "Block"
        }
      ]
    },
    "managedRules": {
      "managedRuleSets": [
        {
          "ruleSetType": "DefaultRuleSet",
          "ruleSetVersion": "1.0",
          "ruleSetAction": "Block",
          "exclusions": [
            {
              "matchVariable": "RequestHeaderNames",
              "selectorMatchOperator": "Equals",
              "selector": "User-Agent"
            }
          ],
          "ruleGroupOverrides": [
            {
              "ruleGroupName": "SQLI",
              "exclusions": [
                {
                  "matchVariable": "RequestCookieNames",
                  "selectorMatchOperator": "StartsWith",
                  "selector": "token"
                }
              ],
              "rules": [
                {
                  "ruleId": "942100",
                  "enabledState": "Enabled",
                  "action": "Redirect",
                  "exclusions": [
                    {
                      "matchVariable": "QueryStringArgNames",
                      "selectorMatchOperator": "Equals",
                      "selector": "query"
                    }
                  ]
                },
                {
                  "ruleId": "942110",
                  "enabledState": "Disabled"
                }
              ]
            }
          ]
        }
      ]
    },
    "frontendEndpointLinks": [],
    "securityPolicyLinks": []
  },
  "sku": {
    "name": "Premium_AzureFrontDoor"
  }
}
{
  "name": "Policy1",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/Policy1",
  "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
  "tags": {
    "key1": "value1",
    "key2": "value2"
  },
  "location": "WestUs",
  "properties": {
    "resourceState": "Enabled",
    "provisioningState": "Succeeded",
    "policySettings": {
      "enabledState": "Enabled",
      "mode": "Prevention",
      "redirectUrl": "http://www.bing.com",
      "customBlockResponseStatusCode": 429,
      "customBlockResponseBody": "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
      "requestBodyCheck": "Disabled",
      "logScrubbing": {
        "state": "Enabled",
        "scrubbingRules": [
          {
            "matchVariable": "RequestIPAddress",
            "selectorMatchOperator": "EqualsAny",
            "selector": null,
            "state": "Enabled"
          }
        ]
      }
    },
    "customRules": {
      "rules": [
        {
          "name": "Rule1",
          "priority": 1,
          "enabledState": "Enabled",
          "ruleType": "RateLimitRule",
          "rateLimitDurationInMinutes": 0,
          "rateLimitThreshold": 1000,
          "matchConditions": [
            {
              "matchVariable": "RemoteAddr",
              "selector": null,
              "operator": "IPMatch",
              "negateCondition": false,
              "matchValue": [
                "192.168.1.0/24",
                "10.0.0.0/24"
              ],
              "transforms": []
            }
          ],
          "action": "Block"
        },
        {
          "name": "Rule2",
          "priority": 2,
          "enabledState": "Enabled",
          "ruleType": "MatchRule",
          "rateLimitDurationInMinutes": 0,
          "rateLimitThreshold": 0,
          "matchConditions": [
            {
              "matchVariable": "RemoteAddr",
              "selector": null,
              "operator": "GeoMatch",
              "negateCondition": false,
              "matchValue": [
                "CH"
              ]
            },
            {
              "matchVariable": "RequestHeader",
              "selector": "UserAgent",
              "operator": "Contains",
              "negateCondition": false,
              "matchValue": [
                "windows"
              ],
              "transforms": [
                "Lowercase"
              ]
            }
          ],
          "action": "Block"
        }
      ]
    },
    "managedRules": {
      "managedRuleSets": [
        {
          "ruleSetType": "DefaultRuleSet",
          "ruleSetVersion": "1.0",
          "exclusions": [
            {
              "matchVariable": "RequestHeaderNames",
              "selectorMatchOperator": "Equals",
              "selector": "User-Agent"
            }
          ],
          "ruleGroupOverrides": [
            {
              "ruleGroupName": "SQLI",
              "exclusions": [
                {
                  "matchVariable": "RequestCookieNames",
                  "selectorMatchOperator": "StartsWith",
                  "selector": "token"
                }
              ],
              "rules": [
                {
                  "ruleId": "942100",
                  "enabledState": "Enabled",
                  "action": "Redirect",
                  "exclusions": [
                    {
                      "matchVariable": "QueryStringArgNames",
                      "selectorMatchOperator": "Equals",
                      "selector": "query"
                    }
                  ]
                },
                {
                  "ruleId": "942110",
                  "enabledState": "Disabled"
                }
              ]
            }
          ]
        }
      ]
    },
    "frontendEndpointLinks": [],
    "securityPolicyLinks": []
  },
  "sku": {
    "name": "Classic_AzureFrontDoor"
  }
}
{
  "name": "Policy1",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/Policy1",
  "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
  "tags": {
    "key1": "value1",
    "key2": "value2"
  },
  "location": "WestUs",
  "properties": {
    "resourceState": "Enabled",
    "provisioningState": "Succeeded",
    "policySettings": {
      "enabledState": "Enabled",
      "mode": "Prevention",
      "redirectUrl": "http://www.bing.com",
      "customBlockResponseStatusCode": 429,
      "customBlockResponseBody": "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
      "requestBodyCheck": "Disabled",
      "logScrubbing": {
        "state": "Enabled",
        "scrubbingRules": [
          {
            "matchVariable": "RequestIPAddress",
            "selectorMatchOperator": "EqualsAny",
            "selector": null,
            "state": "Enabled"
          }
        ]
      }
    },
    "customRules": {
      "rules": [
        {
          "name": "Rule1",
          "priority": 1,
          "enabledState": "Enabled",
          "ruleType": "RateLimitRule",
          "rateLimitDurationInMinutes": 0,
          "rateLimitThreshold": 1000,
          "matchConditions": [
            {
              "matchVariable": "RemoteAddr",
              "selector": null,
              "operator": "IPMatch",
              "negateCondition": false,
              "matchValue": [
                "192.168.1.0/24",
                "10.0.0.0/24"
              ],
              "transforms": []
            }
          ],
          "action": "Block"
        },
        {
          "name": "Rule2",
          "priority": 2,
          "enabledState": "Enabled",
          "ruleType": "MatchRule",
          "rateLimitDurationInMinutes": 0,
          "rateLimitThreshold": 0,
          "matchConditions": [
            {
              "matchVariable": "RemoteAddr",
              "selector": null,
              "operator": "GeoMatch",
              "negateCondition": false,
              "matchValue": [
                "CH"
              ]
            },
            {
              "matchVariable": "RequestHeader",
              "selector": "UserAgent",
              "operator": "Contains",
              "negateCondition": false,
              "matchValue": [
                "windows"
              ],
              "transforms": [
                "Lowercase"
              ]
            }
          ],
          "action": "Block"
        }
      ]
    },
    "managedRules": {
      "managedRuleSets": [
        {
          "ruleSetType": "DefaultRuleSet",
          "ruleSetVersion": "1.0",
          "ruleSetAction": "Block",
          "exclusions": [
            {
              "matchVariable": "RequestHeaderNames",
              "selectorMatchOperator": "Equals",
              "selector": "User-Agent"
            }
          ],
          "ruleGroupOverrides": [
            {
              "ruleGroupName": "SQLI",
              "exclusions": [
                {
                  "matchVariable": "RequestCookieNames",
                  "selectorMatchOperator": "StartsWith",
                  "selector": "token"
                }
              ],
              "rules": [
                {
                  "ruleId": "942100",
                  "enabledState": "Enabled",
                  "action": "Redirect",
                  "exclusions": [
                    {
                      "matchVariable": "QueryStringArgNames",
                      "selectorMatchOperator": "Equals",
                      "selector": "query"
                    }
                  ]
                },
                {
                  "ruleId": "942110",
                  "enabledState": "Disabled"
                }
              ]
            }
          ]
        }
      ]
    },
    "frontendEndpointLinks": [],
    "securityPolicyLinks": []
  },
  "sku": {
    "name": "Premium_AzureFrontDoor"
  }
}

Definitions

Name Description
scrubbingRuleEntryMatchOperator

When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to.

scrubbingRuleEntryState

Defines the state of a log scrubbing rule. Default value is enabled.

ActionType

Defines the action to take on rule match.

CustomRule

Defines contents of a web application rule

CustomRuleEnabledState

Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified.

CustomRuleList

Defines contents of custom rules

ErrorResponse

Error response indicates Front Door service is not able to process the incoming request. The reason is provided in the error message.

FrontendEndpointLink

Defines the Resource ID for a Frontend Endpoint.

GroupByVariable

Describes the variables available to group the rate limit requests

ManagedRuleEnabledState

Describes if the managed rule is in enabled or disabled state.

ManagedRuleExclusion

Exclude variables from managed rule evaluation.

ManagedRuleExclusionMatchVariable

The variable type to be excluded.

ManagedRuleExclusionSelectorMatchOperator

Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to.

ManagedRuleGroupOverride

Defines a managed rule group override setting.

ManagedRuleOverride

Defines a managed rule group override setting.

ManagedRuleSet

Defines a managed rule set.

ManagedRuleSetActionType

Defines the action to take when a managed rule set score threshold is met.

ManagedRuleSetList

Defines the list of managed rule sets for the policy.

MatchCondition

Define a match condition.

MatchVariable

Request variable to compare with.

Operator

Comparison type to use for matching with the variable value.

PolicyEnabledState

Describes if the policy is in enabled or disabled state. Defaults to Enabled if not specified.

PolicyMode

Describes if it is in detection mode or prevention mode at policy level.

PolicyRequestBodyCheck

Describes if policy managed rules will inspect the request body content.

PolicyResourceState

Resource status of the policy.

PolicySettings

Defines top-level WebApplicationFirewallPolicy configuration settings.

RoutingRuleLink

Defines the Resource ID for a Routing Rule.

RuleType

Describes type of rule.

scrubbingRuleEntryMatchVariable

The variable to be scrubbed from the logs.

SecurityPolicyLink

Defines the Resource ID for a Security Policy.

Sku

The pricing tier of the web application firewall policy.

SkuName

Name of the pricing tier.

TransformType

Describes what transforms applied before matching.

VariableName

Describes the supported variable for group by

WebApplicationFirewallPolicy

Defines web application firewall policy.

WebApplicationFirewallScrubbingRules

Defines the contents of the log scrubbing rules.

WebApplicationFirewallScrubbingState

State of the log scrubbing config. Default value is Enabled.

scrubbingRuleEntryMatchOperator

When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to.

Name Type Description
Equals

string

EqualsAny

string

scrubbingRuleEntryState

Defines the state of a log scrubbing rule. Default value is enabled.

Name Type Description
Disabled

string

Enabled

string

ActionType

Defines the action to take on rule match.

Name Type Description
Allow

string

AnomalyScoring

string

Block

string

JSChallenge

string

Log

string

Redirect

string

CustomRule

Defines contents of a web application rule

Name Type Description
action

ActionType

Describes what action to be applied when rule matches.

enabledState

CustomRuleEnabledState

Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified.

groupBy

GroupByVariable[]

Describes the list of variables to group the rate limit requests

matchConditions

MatchCondition[]

List of match conditions.

name

string

Describes the name of the rule.

priority

integer

Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.

rateLimitDurationInMinutes

integer

Time window for resetting the rate limit count. Default is 1 minute.

rateLimitThreshold

integer

Number of allowed requests per client within the time window.

ruleType

RuleType

Describes type of rule.

CustomRuleEnabledState

Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified.

Name Type Description
Disabled

string

Enabled

string

CustomRuleList

Defines contents of custom rules

Name Type Description
rules

CustomRule[]

List of rules

ErrorResponse

Error response indicates Front Door service is not able to process the incoming request. The reason is provided in the error message.

Name Type Description
code

string

Error code.

message

string

Error message indicating why the operation failed.

Defines the Resource ID for a Frontend Endpoint.

Name Type Description
id

string

Resource ID.

GroupByVariable

Describes the variables available to group the rate limit requests

Name Type Description
variableName

VariableName

Describes the supported variable for group by

ManagedRuleEnabledState

Describes if the managed rule is in enabled or disabled state.

Name Type Description
Disabled

string

Enabled

string

ManagedRuleExclusion

Exclude variables from managed rule evaluation.

Name Type Description
matchVariable

ManagedRuleExclusionMatchVariable

The variable type to be excluded.

selector

string

Selector value for which elements in the collection this exclusion applies to.

selectorMatchOperator

ManagedRuleExclusionSelectorMatchOperator

Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to.

ManagedRuleExclusionMatchVariable

The variable type to be excluded.

Name Type Description
QueryStringArgNames

string

RequestBodyJsonArgNames

string

RequestBodyPostArgNames

string

RequestCookieNames

string

RequestHeaderNames

string

ManagedRuleExclusionSelectorMatchOperator

Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to.

Name Type Description
Contains

string

EndsWith

string

Equals

string

EqualsAny

string

StartsWith

string

ManagedRuleGroupOverride

Defines a managed rule group override setting.

Name Type Description
exclusions

ManagedRuleExclusion[]

Describes the exclusions that are applied to all rules in the group.

ruleGroupName

string

Describes the managed rule group to override.

rules

ManagedRuleOverride[]

List of rules that will be disabled. If none specified, all rules in the group will be disabled.

ManagedRuleOverride

Defines a managed rule group override setting.

Name Type Description
action

ActionType

Describes the override action to be applied when rule matches.

enabledState

ManagedRuleEnabledState

Describes if the managed rule is in enabled or disabled state. Defaults to Disabled if not specified.

exclusions

ManagedRuleExclusion[]

Describes the exclusions that are applied to this specific rule.

ruleId

string

Identifier for the managed rule.

ManagedRuleSet

Defines a managed rule set.

Name Type Description
exclusions

ManagedRuleExclusion[]

Describes the exclusions that are applied to all rules in the set.

ruleGroupOverrides

ManagedRuleGroupOverride[]

Defines the rule group overrides to apply to the rule set.

ruleSetAction

ManagedRuleSetActionType

ruleSetAction
Defines the rule set action.

ruleSetType

string

Defines the rule set type to use.

ruleSetVersion

string

Defines the version of the rule set to use.

ManagedRuleSetActionType

Defines the action to take when a managed rule set score threshold is met.

Name Type Description
Block

string

Log

string

Redirect

string

ManagedRuleSetList

Defines the list of managed rule sets for the policy.

Name Type Description
managedRuleSets

ManagedRuleSet[]

List of rule sets.

MatchCondition

Define a match condition.

Name Type Description
matchValue

string[]

List of possible match values.

matchVariable

MatchVariable

Request variable to compare with.

negateCondition

boolean

Describes if the result of this condition should be negated.

operator

Operator

Comparison type to use for matching with the variable value.

selector

string

Match against a specific key from the QueryString, PostArgs, RequestHeader or Cookies variables. Default is null.

transforms

TransformType[]

List of transforms.

MatchVariable

Request variable to compare with.

Name Type Description
Cookies

string

PostArgs

string

QueryString

string

RemoteAddr

string

RequestBody

string

RequestHeader

string

RequestMethod

string

RequestUri

string

SocketAddr

string

Operator

Comparison type to use for matching with the variable value.

Name Type Description
Any

string

BeginsWith

string

Contains

string

EndsWith

string

Equal

string

GeoMatch

string

GreaterThan

string

GreaterThanOrEqual

string

IPMatch

string

LessThan

string

LessThanOrEqual

string

RegEx

string

PolicyEnabledState

Describes if the policy is in enabled or disabled state. Defaults to Enabled if not specified.

Name Type Description
Disabled

string

Enabled

string

PolicyMode

Describes if it is in detection mode or prevention mode at policy level.

Name Type Description
Detection

string

Prevention

string

PolicyRequestBodyCheck

Describes if policy managed rules will inspect the request body content.

Name Type Description
Disabled

string

Enabled

string

PolicyResourceState

Resource status of the policy.

Name Type Description
Creating

string

Deleting

string

Disabled

string

Disabling

string

Enabled

string

Enabling

string

PolicySettings

Defines top-level WebApplicationFirewallPolicy configuration settings.

Name Type Description
customBlockResponseBody

string

If the action type is block, customer can override the response body. The body must be specified in base64 encoding.

customBlockResponseStatusCode

integer

If the action type is block, customer can override the response status code.

enabledState

PolicyEnabledState

Describes if the policy is in enabled or disabled state. Defaults to Enabled if not specified.

javascriptChallengeExpirationInMinutes

integer

Defines the JavaScript challenge cookie validity lifetime in minutes. This setting is only applicable to Premium_AzureFrontDoor. Value must be an integer between 5 and 1440 with the default value being 30.

logScrubbing.scrubbingRules

WebApplicationFirewallScrubbingRules[]

List of log scrubbing rules applied to the Web Application Firewall logs.

logScrubbing.state

WebApplicationFirewallScrubbingState

State of the log scrubbing config. Default value is Enabled.

mode

PolicyMode

Describes if it is in detection mode or prevention mode at policy level.

redirectUrl

string

If action type is redirect, this field represents redirect URL for the client.

requestBodyCheck

PolicyRequestBodyCheck

Describes if policy managed rules will inspect the request body content.

Defines the Resource ID for a Routing Rule.

Name Type Description
id

string

Resource ID.

RuleType

Describes type of rule.

Name Type Description
MatchRule

string

RateLimitRule

string

scrubbingRuleEntryMatchVariable

The variable to be scrubbed from the logs.

Name Type Description
QueryStringArgNames

string

RequestBodyJsonArgNames

string

RequestBodyPostArgNames

string

RequestCookieNames

string

RequestHeaderNames

string

RequestIPAddress

string

RequestUri

string

Defines the Resource ID for a Security Policy.

Name Type Description
id

string

Resource ID.

Sku

The pricing tier of the web application firewall policy.

Name Type Description
name

SkuName

Name of the pricing tier.

SkuName

Name of the pricing tier.

Name Type Description
Classic_AzureFrontDoor

string

Premium_AzureFrontDoor

string

Standard_AzureFrontDoor

string

TransformType

Describes what transforms applied before matching.

Name Type Description
Lowercase

string

RemoveNulls

string

Trim

string

Uppercase

string

UrlDecode

string

UrlEncode

string

VariableName

Describes the supported variable for group by

Name Type Description
GeoLocation

string

None

string

SocketAddr

string

WebApplicationFirewallPolicy

Defines web application firewall policy.

Name Type Description
etag

string

Gets a unique read-only string that changes whenever the resource is updated.

id

string

Resource ID.

location

string

Resource location.

name

string

Resource name.

properties.customRules

CustomRuleList

Describes custom rules inside the policy.

properties.frontendEndpointLinks

FrontendEndpointLink[]

Describes Frontend Endpoints associated with this Web Application Firewall policy.

properties.managedRules

ManagedRuleSetList

Describes managed rules inside the policy.

properties.policySettings

PolicySettings

Describes settings for the policy.

properties.provisioningState

string

Provisioning state of the policy.

properties.resourceState

PolicyResourceState

Resource status of the policy.

properties.routingRuleLinks

RoutingRuleLink[]

Describes Routing Rules associated with this Web Application Firewall policy.

properties.securityPolicyLinks

SecurityPolicyLink[]

Describes Security Policy associated with this Web Application Firewall policy.

sku

Sku

The pricing tier of web application firewall policy. Defaults to Classic_AzureFrontDoor if not specified.

tags

object

Resource tags.

type

string

Resource type.

WebApplicationFirewallScrubbingRules

Defines the contents of the log scrubbing rules.

Name Type Description
matchVariable

scrubbingRuleEntryMatchVariable

The variable to be scrubbed from the logs.

selector

string

When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to.

selectorMatchOperator

scrubbingRuleEntryMatchOperator

When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to.

state

scrubbingRuleEntryState

Defines the state of a log scrubbing rule. Default value is enabled.

WebApplicationFirewallScrubbingState

State of the log scrubbing config. Default value is Enabled.

Name Type Description
Disabled

string

Enabled

string