まったり技術ブログ

Webエンジニアのセキュリティブログ

【Azure】Azure CLIでApplication Gateway WAFを操作 - カスタムルール編

f:id:motikan2010:20200424002556p:plain:w500

はじめに

 本記事では Application Gateway WAF のポリシーやカスタムルールの制御(作成・削除など)を azコマンド経由で実行する方法を説明します。

Azure CLI(azコマンド)で Application Gateway WAF を操作

1. WAFポリシー

$ az network application-gateway waf-policy -h

Group
    az network application-gateway waf-policy : Manage application gateway web application firewall
    (WAF) policies.

Subgroups:
    custom-rule    : Manage application gateway web application firewall (WAF) policy custom rules.
    managed-rule   : Manage managed rules of a waf-policy. Visit: https://docs.microsoft.com/en-
                     us/azure/web-application-firewall/afds/afds-overview.
    policy-setting : Defines contents of a web application firewall global configuration.

Commands:
    create         : Create an application gateway WAF policy.
    delete         : Delete an application gateway WAF policy.
    list           : List application gateway WAF policies.
    show           : Get the details of an application gateway WAF policy.
    update         : Update an application gateway WAF policy.
    wait           : Place the CLI in a waiting state until a condition of the application gateway
                     WAF policy is met.

1-1. WAFポリシーの作成 (create サブコマンド)

 createサブコマンドのヘルプ

$ az network application-gateway waf-policy create -h

Command
    az network application-gateway waf-policy create : Create an application gateway WAF policy.

Arguments
    --name -n           [Required] : The name of the application gateway WAF policy.
    --resource-group -g [Required] : Name of resource group. You can configure the default group
                                     using `az configure --defaults group=<name>`.
    --location -l                  : Location. Values from: `az account list-locations`. You can
                                     configure the default location using `az configure --defaults
                                     location=<location>`.
    --tags                         : Space-separated tags: key[=value] [key[=value] ...]. Use '' to
                                     clear existing tags.

Examples
    Create an application gateway WAF policy. (autogenerated)
        az network application-gateway waf-policy create --name MyApplicationGatewayWAFPolicy
        --resource-group MyResourceGroup
$ az network application-gateway waf-policy create \
--name TestPolicy \
--resource-group testResourceGroup

1-2. WAFポリシーの詳細表示 (show サブコマンド)

 showサブコマンドのヘルプ

$ az network application-gateway waf-policy show \
  --resource-group 'testResourceGroup' \
  --name 'TestPolicy'

----- 出力 -----
{
  "applicationGateways": null,
  "customRules": [],
  "etag": "W/\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\"",
  "httpListeners": null,
  "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testResourceGroup/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/TestPolicy",
  "location": "japaneast",
  "managedRules": {
    "exclusions": [],
    "managedRuleSets": [
      {
        "ruleGroupOverrides": [],
        "ruleSetType": "OWASP",
        "ruleSetVersion": "3.0"
      }
    ]
  },
  "name": "TestPolicy",
  "pathBasedRules": null,
  "policySettings": {
    "fileUploadLimitInMb": 100,
    "maxRequestBodySizeInKb": 128,
    "mode": "Detection",
    "requestBodyCheck": true,
    "state": "Disabled"
  },
  "provisioningState": "Succeeded",
  "resourceGroup": "testResourceGroup",
  "resourceState": null,
  "tags": null,
  "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies"
}
---------------

2. カスタムルール

$ az network application-gateway waf-policy custom-rule -h

Group
    az network application-gateway waf-policy custom-rule : Manage application gateway web
    application firewall (WAF) policy custom rules.

Subgroups:
    match-condition : Manage application gateway web application firewall (WAF) policies.

Commands:
    create          : Create an application gateway WAF policy custom rule.
    delete          : Delete an application gateway WAF policy custom rule.
    list            : List application gateway WAF policy custom rules.
    show            : Get the details of an application gateway WAF policy custom rule.
    update          : Update an application gateway WAF policy custom rule.

2-1. カスタムルールの作成 (create サブコマンド)

 createサブコマンドのヘルプ

$ az network application-gateway waf-policy custom-rule create -h

Command
    az network application-gateway waf-policy custom-rule create : Create an application gateway WAF
    policy custom rule.

Arguments
    --action            [Required] : Action to take.  Allowed values: Allow, Block, Log.
    --name -n           [Required] : Name of the WAF policy rule.
    --policy-name       [Required] : The name of the application gateway WAF policy.
    --priority          [Required] : Rule priority. Lower values are evaluated prior to higher
                                     values.
    --resource-group -g [Required] : Name of resource group. You can configure the default group
                                     using `az configure --defaults group=<name>`.
    --rule-type         [Required] : Type of rule.  Allowed values: Invalid, MatchRule.

 ポリシー「TestPolicy」にカスタムルール「TestCustomRule」を作成。

$ az network application-gateway waf-policy custom-rule create \
  --action 'Block' \
  --name 'TestCustomRule' \
  --policy-name 'TestPolicy' \
  --priority '50' \
  --resource-group 'testResourceGroup' \
  --rule-type 'MatchRule'

----- 出力 -----
{
  "action": "Block",
  "etag": null,
  "matchConditions": [],
  "name": "TestCustomRule",
  "priority": 50,
  "ruleType": "MatchRule",
  "skippedManagedRuleSets": []
}
---------------

2-2. カスタムルールの削除 (delete サブコマンド)

 deleteサブコマンドのヘルプ

$ az network application-gateway waf-policy custom-rule delete -h

Command
    az network application-gateway waf-policy custom-rule delete : Delete an application gateway WAF
    policy custom rule.

Arguments

Resource Id Arguments
    --ids               : One or more resource IDs (space-delimited). It should be a complete
                          resource ID containing all information of 'Resource Id' arguments. If
                          provided, no other 'Resource Id' arguments should be specified.
    --name -n           : Name of the WAF policy rule.
    --policy-name       : The name of the application gateway WAF policy.
    --resource-group -g : Name of resource group. You can configure the default group using `az
                          configure --defaults group=<name>`.
    --subscription      : Name or ID of subscription. You can configure the default subscription
                          using `az account set -s NAME_OR_ID`.

 リソースグループ「testResourceGroup」のポリシー「TestPolicy」内のカスタムルール「TestCustomRule」を削除。

$ az network application-gateway waf-policy custom-rule delete \
  --resource-group 'testResourceGroup' \
  --policy-name 'TestPolicy' \
  --name 'TestCustomRule'

2-3. カスタムルールの一覧 (list サブコマンド)

 listサブコマンドのヘルプ

$ az network application-gateway waf-policy custom-rule list \
  --resource-group 'testResourceGroup' \
  --policy-name 'TestPolicy'

----- 出力 -----
[
  {
    "action": "Block",
    "etag": null,
    "matchConditions": [
      {
        "matchValues": [
          "hoge",
          "fuga"
        ],
        "matchVariables": [
          {
            "selector": null,
            "variableName": "QueryString"
          },
          {
            "selector": null,
            "variableName": "PostArgs"
          }
        ],
        "negationConditon": false,
        "operator": "Contains",
        "transforms": [
          "Lowercase",
          "RemoveNulls"
        ]
      }
    ],
    "name": "TestCustomRule",
    "priority": 50,
    "ruleType": "MatchRule",
    "skippedManagedRuleSets": []
  }
]
---------------

2-4. カスタムルールの詳細 (show サブコマンド)

 カスタムルールを指定して詳細を確認することができます。

 showサブコマンドのヘルプ

$ az network application-gateway waf-policy show -h

Command
    az network application-gateway waf-policy show : Get the details of an application gateway WAF
    policy.

Arguments

Resource Id Arguments
    --ids               : One or more resource IDs (space-delimited). It should be a complete
                          resource ID containing all information of 'Resource Id' arguments. If
                          provided, no other 'Resource Id' arguments should be specified.
    --name -n           : The name of the application gateway WAF policy.
    --resource-group -g : Name of resource group. You can configure the default group using `az
                          configure --defaults group=<name>`.
    --subscription      : Name or ID of subscription. You can configure the default subscription
                          using `az account set -s NAME_OR_ID`.

Global Arguments
    --debug             : Increase logging verbosity to show all debug logs.
    --help -h           : Show this help message and exit.
    --only-show-errors  : Only show errors, suppressing warnings.
    --output -o         : Output format.  Allowed values: json, jsonc, none, table, tsv, yaml,
                          yamlc.  Default: json.
    --query             : JMESPath query string. See http://jmespath.org/ for more information and
                          examples.
    --verbose           : Increase logging verbosity. Use --debug for full debug logs.

Examples
    Get the details of an application gateway WAF policy. (autogenerated)
        az network application-gateway waf-policy show --name MyApplicationGatewayWAFPolicy
        --resource-group MyResourceGroup

 カスタムルール「TestCustomRule」の詳細を出力してみます。

$ az network application-gateway waf-policy custom-rule show \
  --resource-group 'testResourceGroup' \
  --policy-name 'TestPolicy' \
  --name 'TestCustomRule'

----- 出力 -----
{
  "action": "Block",
  "etag": null,
  "matchConditions": [
    {
      "matchValues": [
        "hoge",
        "fuga"
      ],
      "matchVariables": [
        {
          "selector": null,
          "variableName": "QueryString"
        },
        {
          "selector": null,
          "variableName": "PostArgs"
        }
      ],
      "negationConditon": false,
      "operator": "Contains",
      "transforms": [
        "Lowercase",
        "RemoveNulls"
      ]
    }
  ],
  "name": "TestCustomRule",
  "priority": 50,
  "ruleType": "MatchRule",
  "skippedManagedRuleSets": []
}
--------------------

2-5. カスタムルールの更新 (update サブコマンド)

$ az network application-gateway waf-policy custom-rule update -h

Command
    az network application-gateway waf-policy custom-rule update : Update an application gateway WAF
    policy custom rule.

Arguments
    --action            : Action to take.  Allowed values: Allow, Block, Log.
    --priority          : Rule priority. Lower values are evaluated prior to higher values.
    --rule-type         : Type of rule.  Allowed values: Invalid, MatchRule.

Generic Update Arguments
    --add               : Add an object to a list of objects by specifying a path and key value
                          pairs.  Example: --add property.listProperty <key=value, string or JSON
                          string>.
    --force-string      : When using 'set' or 'add', preserve string literals instead of attempting
                          to convert to JSON.
    --remove            : Remove a property or an element from a list.  Example: --remove
                          property.list <indexToRemove> OR --remove propertyToRemove.
    --set               : Update an object by specifying a property path and value to set.  Example:
                          --set property1.property2=<value>.

Resource Id Arguments
    --ids               : One or more resource IDs (space-delimited). It should be a complete
                          resource ID containing all information of 'Resource Id' arguments. If
                          provided, no other 'Resource Id' arguments should be specified.
    --name -n           : Name of the WAF policy rule.
    --policy-name       : The name of the application gateway WAF policy.
    --resource-group -g : Name of resource group. You can configure the default group using `az
                          configure --defaults group=<name>`.
    --subscription      : Name or ID of subscription. You can configure the default subscription
                          using `az account set -s NAME_OR_ID`.

3. マッチ条件

$ az network application-gateway waf-policy custom-rule match-condition -h

Group
    az network application-gateway waf-policy custom-rule match-condition : Manage application
    gateway web application firewall (WAF) policies.

Commands:
    add    : A match condition to an application gateway WAF policy custom rule.
    list   : List application gateway WAF policy custom rule match conditions.
    remove : Remove a match condition from an application gateway WAF policy custom rule.

3-1. マッチ条件を追加 (add サブコマンド)

$ az network application-gateway waf-policy custom-rule match-condition add -h

Command
    az network application-gateway waf-policy custom-rule match-condition add : A match condition to
    an application gateway WAF policy custom rule.

Arguments
    --match-variables [Required] : Space-separated list of variables to use when matching. Variable
                                   values: RemoteAddr, RequestMethod, QueryString, PostArgs,
                                   RequestUri, RequestHeaders, RequestBody, RequestCookies.
    --operator        [Required] : Operator for matching.  Allowed values: BeginsWith, Contains,
                                   EndsWith, Equal, GeoMatch, GreaterThan, GreaterThanOrEqual,
                                   IPMatch, LessThan, LessThanOrEqual, Regex.
    --values          [Required] : Space-separated list of values to match.
    --negate                     : Match the negative of the condition.  Allowed values: false,
                                   true.
    --transforms                 : Space-separated list of transforms to apply when matching.
                                   Allowed values: HtmlEntityDecode, Lowercase, RemoveNulls, Trim,
                                   UrlDecode, UrlEncode.

Resource Id Arguments
    --ids                        : One or more resource IDs (space-delimited). It should be a
                                   complete resource ID containing all information of 'Resource Id'
                                   arguments. If provided, no other 'Resource Id' arguments should
                                   be specified.
    --name -n                    : Name of the WAF policy rule.
    --policy-name                : The name of the application gateway WAF policy.
    --resource-group -g          : Name of resource group. You can configure the default group using
                                   `az configure --defaults group=<name>`.
    --subscription               : Name or ID of subscription. You can configure the default
                                   subscription using `az account set -s NAME_OR_ID`.

 実際に以下の表のマッチ条件を作成してみます。

マッチ条件
Match variable ["QueryString", "PostArgs"]
Operator "Contains"
Match values ["hoge", "fuga"]
Transformations ["Lowercase", "RemoveNulls"]
$ az network application-gateway waf-policy custom-rule match-condition add \
  --resource-group 'testResourceGroup' \
  --policy-name 'TestPolicy' \
  --name 'TestCustomRule' \
  --match-variables 'QueryString' 'PostArgs' \
  --operator 'Contains' \
  --values 'hoge' 'fuga' \
  --transforms 'Lowercase' 'RemoveNulls'

-----  出力 -----
{
  "matchValues": [
    "hoge",
    "fuga"
  ],
  "matchVariables": [
    {
      "selector": null,
      "variableName": "QueryString"
    },
    {
      "selector": null,
      "variableName": "PostArgs"
    }
  ],
  "negationConditon": null,
  "operator": "Contains",
  "transforms": [
    "Lowercase",
    "RemoveNulls"
  ]
}
---------------

 Azureのダッシュボード から作成されたことが確認できました。
f:id:motikan2010:20200424004319p:plain:w300

3-2. マッチ条件の一覧 (list サブコマンド)

$ az network application-gateway waf-policy custom-rule match-condition list \
  --resource-group 'testResourceGroup' \
  --policy-name 'TestPolicy' \
  --name 'TestCustomRule'

----- 出力 -----
[
  {
    "matchValues": [
      "hoge",
      "fuga"
    ],
    "matchVariables": [
      {
        "selector": null,
        "variableName": "QueryString"
      },
      {
        "selector": null,
        "variableName": "PostArgs"
      }
    ],
    "negationConditon": false,
    "operator": "Contains",
    "transforms": [
      "Lowercase",
      "RemoveNulls"
    ]
  }
]
---------------

3-3. マッチ条件を削除 (remove サブコマンド)

$ az network application-gateway waf-policy custom-rule match-condition remove -h

Command
    az network application-gateway waf-policy custom-rule match-condition remove : Remove a match
    condition from an application gateway WAF policy custom rule.

Arguments
    --index  [Required] : Index of the match condition to remove.

Resource Id Arguments
    --ids               : One or more resource IDs (space-delimited). It should be a complete
                          resource ID containing all information of 'Resource Id' arguments. If
                          provided, no other 'Resource Id' arguments should be specified.
    --name -n           : Name of the WAF policy rule.
    --policy-name       : The name of the application gateway WAF policy.
    --resource-group -g : Name of resource group. You can configure the default group using `az
                          configure --defaults group=<name>`.
    --subscription      : Name or ID of subscription. You can configure the default subscription
                          using `az account set -s NAME_OR_ID`.
$ az network application-gateway waf-policy custom-rule match-condition remove \
  --resource-group 'testResourceGroup' \
  --policy-name 'TestPolicy' \
  --name 'TestCustomRule' \
  --index 0