はじめに
本記事では Application Gateway WAF のポリシーやカスタムルールの制御(作成・削除など)を azコマンド経由で実行する方法を説明します。
Azure CLI(azコマンド)で Application Gateway WAF を操作
1. WAFポリシー
$ az network application-gateway waf-policy -h
Group
az network application-gateway waf-policy : Manage application gateway web application firewall
(WAF) policies.
Subgroups:
custom-rule : Manage application gateway web application firewall (WAF) policy custom rules.
managed-rule : Manage managed rules of a waf-policy. Visit: https://docs.microsoft.com/en-
us/azure/web-application-firewall/afds/afds-overview.
policy-setting : Defines contents of a web application firewall global configuration.
Commands:
create : Create an application gateway WAF policy.
delete : Delete an application gateway WAF policy.
list : List application gateway WAF policies.
show : Get the details of an application gateway WAF policy.
update : Update an application gateway WAF policy.
wait : Place the CLI in a waiting state until a condition of the application gateway
WAF policy is met.
1-1. WAFポリシーの作成 (create サブコマンド)
createサブコマンドのヘルプ
$ az network application-gateway waf-policy create -h
Command
az network application-gateway waf-policy create : Create an application gateway WAF policy.
Arguments
--name -n [Required] : The name of the application gateway WAF policy.
--resource-group -g [Required] : Name of resource group. You can configure the default group
using `az configure --defaults group=<name>`.
--location -l : Location. Values from: `az account list-locations`. You can
configure the default location using `az configure --defaults
location=<location>`.
--tags : Space-separated tags: key[=value] [key[=value] ...]. Use '' to
clear existing tags.
Examples
Create an application gateway WAF policy. (autogenerated)
az network application-gateway waf-policy create --name MyApplicationGatewayWAFPolicy
--resource-group MyResourceGroup
$ az network application-gateway waf-policy create \ --name TestPolicy \ --resource-group testResourceGroup
1-2. WAFポリシーの詳細表示 (show サブコマンド)
showサブコマンドのヘルプ
$ az network application-gateway waf-policy show \ --resource-group 'testResourceGroup' \ --name 'TestPolicy' ----- 出力 ----- { "applicationGateways": null, "customRules": [], "etag": "W/\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\"", "httpListeners": null, "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testResourceGroup/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/TestPolicy", "location": "japaneast", "managedRules": { "exclusions": [], "managedRuleSets": [ { "ruleGroupOverrides": [], "ruleSetType": "OWASP", "ruleSetVersion": "3.0" } ] }, "name": "TestPolicy", "pathBasedRules": null, "policySettings": { "fileUploadLimitInMb": 100, "maxRequestBodySizeInKb": 128, "mode": "Detection", "requestBodyCheck": true, "state": "Disabled" }, "provisioningState": "Succeeded", "resourceGroup": "testResourceGroup", "resourceState": null, "tags": null, "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies" } ---------------
2. カスタムルール
$ az network application-gateway waf-policy custom-rule -h
Group
az network application-gateway waf-policy custom-rule : Manage application gateway web
application firewall (WAF) policy custom rules.
Subgroups:
match-condition : Manage application gateway web application firewall (WAF) policies.
Commands:
create : Create an application gateway WAF policy custom rule.
delete : Delete an application gateway WAF policy custom rule.
list : List application gateway WAF policy custom rules.
show : Get the details of an application gateway WAF policy custom rule.
update : Update an application gateway WAF policy custom rule.
2-1. カスタムルールの作成 (create サブコマンド)
createサブコマンドのヘルプ
$ az network application-gateway waf-policy custom-rule create -h
Command
az network application-gateway waf-policy custom-rule create : Create an application gateway WAF
policy custom rule.
Arguments
--action [Required] : Action to take. Allowed values: Allow, Block, Log.
--name -n [Required] : Name of the WAF policy rule.
--policy-name [Required] : The name of the application gateway WAF policy.
--priority [Required] : Rule priority. Lower values are evaluated prior to higher
values.
--resource-group -g [Required] : Name of resource group. You can configure the default group
using `az configure --defaults group=<name>`.
--rule-type [Required] : Type of rule. Allowed values: Invalid, MatchRule.
ポリシー「TestPolicy」にカスタムルール「TestCustomRule」を作成。
$ az network application-gateway waf-policy custom-rule create \ --action 'Block' \ --name 'TestCustomRule' \ --policy-name 'TestPolicy' \ --priority '50' \ --resource-group 'testResourceGroup' \ --rule-type 'MatchRule' ----- 出力 ----- { "action": "Block", "etag": null, "matchConditions": [], "name": "TestCustomRule", "priority": 50, "ruleType": "MatchRule", "skippedManagedRuleSets": [] } ---------------
2-2. カスタムルールの削除 (delete サブコマンド)
deleteサブコマンドのヘルプ
$ az network application-gateway waf-policy custom-rule delete -h
Command
az network application-gateway waf-policy custom-rule delete : Delete an application gateway WAF
policy custom rule.
Arguments
Resource Id Arguments
--ids : One or more resource IDs (space-delimited). It should be a complete
resource ID containing all information of 'Resource Id' arguments. If
provided, no other 'Resource Id' arguments should be specified.
--name -n : Name of the WAF policy rule.
--policy-name : The name of the application gateway WAF policy.
--resource-group -g : Name of resource group. You can configure the default group using `az
configure --defaults group=<name>`.
--subscription : Name or ID of subscription. You can configure the default subscription
using `az account set -s NAME_OR_ID`.
リソースグループ「testResourceGroup」のポリシー「TestPolicy」内のカスタムルール「TestCustomRule」を削除。
$ az network application-gateway waf-policy custom-rule delete \ --resource-group 'testResourceGroup' \ --policy-name 'TestPolicy' \ --name 'TestCustomRule'
2-3. カスタムルールの一覧 (list サブコマンド)
listサブコマンドのヘルプ
$ az network application-gateway waf-policy custom-rule list \ --resource-group 'testResourceGroup' \ --policy-name 'TestPolicy' ----- 出力 ----- [ { "action": "Block", "etag": null, "matchConditions": [ { "matchValues": [ "hoge", "fuga" ], "matchVariables": [ { "selector": null, "variableName": "QueryString" }, { "selector": null, "variableName": "PostArgs" } ], "negationConditon": false, "operator": "Contains", "transforms": [ "Lowercase", "RemoveNulls" ] } ], "name": "TestCustomRule", "priority": 50, "ruleType": "MatchRule", "skippedManagedRuleSets": [] } ] ---------------
2-4. カスタムルールの詳細 (show サブコマンド)
カスタムルールを指定して詳細を確認することができます。
showサブコマンドのヘルプ
$ az network application-gateway waf-policy show -h
Command
az network application-gateway waf-policy show : Get the details of an application gateway WAF
policy.
Arguments
Resource Id Arguments
--ids : One or more resource IDs (space-delimited). It should be a complete
resource ID containing all information of 'Resource Id' arguments. If
provided, no other 'Resource Id' arguments should be specified.
--name -n : The name of the application gateway WAF policy.
--resource-group -g : Name of resource group. You can configure the default group using `az
configure --defaults group=<name>`.
--subscription : Name or ID of subscription. You can configure the default subscription
using `az account set -s NAME_OR_ID`.
Global Arguments
--debug : Increase logging verbosity to show all debug logs.
--help -h : Show this help message and exit.
--only-show-errors : Only show errors, suppressing warnings.
--output -o : Output format. Allowed values: json, jsonc, none, table, tsv, yaml,
yamlc. Default: json.
--query : JMESPath query string. See http://jmespath.org/ for more information and
examples.
--verbose : Increase logging verbosity. Use --debug for full debug logs.
Examples
Get the details of an application gateway WAF policy. (autogenerated)
az network application-gateway waf-policy show --name MyApplicationGatewayWAFPolicy
--resource-group MyResourceGroup
カスタムルール「TestCustomRule」の詳細を出力してみます。
$ az network application-gateway waf-policy custom-rule show \ --resource-group 'testResourceGroup' \ --policy-name 'TestPolicy' \ --name 'TestCustomRule' ----- 出力 ----- { "action": "Block", "etag": null, "matchConditions": [ { "matchValues": [ "hoge", "fuga" ], "matchVariables": [ { "selector": null, "variableName": "QueryString" }, { "selector": null, "variableName": "PostArgs" } ], "negationConditon": false, "operator": "Contains", "transforms": [ "Lowercase", "RemoveNulls" ] } ], "name": "TestCustomRule", "priority": 50, "ruleType": "MatchRule", "skippedManagedRuleSets": [] } --------------------
2-5. カスタムルールの更新 (update サブコマンド)
$ az network application-gateway waf-policy custom-rule update -h
Command
az network application-gateway waf-policy custom-rule update : Update an application gateway WAF
policy custom rule.
Arguments
--action : Action to take. Allowed values: Allow, Block, Log.
--priority : Rule priority. Lower values are evaluated prior to higher values.
--rule-type : Type of rule. Allowed values: Invalid, MatchRule.
Generic Update Arguments
--add : Add an object to a list of objects by specifying a path and key value
pairs. Example: --add property.listProperty <key=value, string or JSON
string>.
--force-string : When using 'set' or 'add', preserve string literals instead of attempting
to convert to JSON.
--remove : Remove a property or an element from a list. Example: --remove
property.list <indexToRemove> OR --remove propertyToRemove.
--set : Update an object by specifying a property path and value to set. Example:
--set property1.property2=<value>.
Resource Id Arguments
--ids : One or more resource IDs (space-delimited). It should be a complete
resource ID containing all information of 'Resource Id' arguments. If
provided, no other 'Resource Id' arguments should be specified.
--name -n : Name of the WAF policy rule.
--policy-name : The name of the application gateway WAF policy.
--resource-group -g : Name of resource group. You can configure the default group using `az
configure --defaults group=<name>`.
--subscription : Name or ID of subscription. You can configure the default subscription
using `az account set -s NAME_OR_ID`.
3. マッチ条件
$ az network application-gateway waf-policy custom-rule match-condition -h
Group
az network application-gateway waf-policy custom-rule match-condition : Manage application
gateway web application firewall (WAF) policies.
Commands:
add : A match condition to an application gateway WAF policy custom rule.
list : List application gateway WAF policy custom rule match conditions.
remove : Remove a match condition from an application gateway WAF policy custom rule.
3-1. マッチ条件を追加 (add サブコマンド)
$ az network application-gateway waf-policy custom-rule match-condition add -h
Command
az network application-gateway waf-policy custom-rule match-condition add : A match condition to
an application gateway WAF policy custom rule.
Arguments
--match-variables [Required] : Space-separated list of variables to use when matching. Variable
values: RemoteAddr, RequestMethod, QueryString, PostArgs,
RequestUri, RequestHeaders, RequestBody, RequestCookies.
--operator [Required] : Operator for matching. Allowed values: BeginsWith, Contains,
EndsWith, Equal, GeoMatch, GreaterThan, GreaterThanOrEqual,
IPMatch, LessThan, LessThanOrEqual, Regex.
--values [Required] : Space-separated list of values to match.
--negate : Match the negative of the condition. Allowed values: false,
true.
--transforms : Space-separated list of transforms to apply when matching.
Allowed values: HtmlEntityDecode, Lowercase, RemoveNulls, Trim,
UrlDecode, UrlEncode.
Resource Id Arguments
--ids : One or more resource IDs (space-delimited). It should be a
complete resource ID containing all information of 'Resource Id'
arguments. If provided, no other 'Resource Id' arguments should
be specified.
--name -n : Name of the WAF policy rule.
--policy-name : The name of the application gateway WAF policy.
--resource-group -g : Name of resource group. You can configure the default group using
`az configure --defaults group=<name>`.
--subscription : Name or ID of subscription. You can configure the default
subscription using `az account set -s NAME_OR_ID`.
実際に以下の表のマッチ条件を作成してみます。
| マッチ条件 | |
|---|---|
| Match variable | ["QueryString", "PostArgs"] |
| Operator | "Contains" |
| Match values | ["hoge", "fuga"] |
| Transformations | ["Lowercase", "RemoveNulls"] |
$ az network application-gateway waf-policy custom-rule match-condition add \ --resource-group 'testResourceGroup' \ --policy-name 'TestPolicy' \ --name 'TestCustomRule' \ --match-variables 'QueryString' 'PostArgs' \ --operator 'Contains' \ --values 'hoge' 'fuga' \ --transforms 'Lowercase' 'RemoveNulls' ----- 出力 ----- { "matchValues": [ "hoge", "fuga" ], "matchVariables": [ { "selector": null, "variableName": "QueryString" }, { "selector": null, "variableName": "PostArgs" } ], "negationConditon": null, "operator": "Contains", "transforms": [ "Lowercase", "RemoveNulls" ] } ---------------
Azureのダッシュボード から作成されたことが確認できました。
3-2. マッチ条件の一覧 (list サブコマンド)
$ az network application-gateway waf-policy custom-rule match-condition list \ --resource-group 'testResourceGroup' \ --policy-name 'TestPolicy' \ --name 'TestCustomRule' ----- 出力 ----- [ { "matchValues": [ "hoge", "fuga" ], "matchVariables": [ { "selector": null, "variableName": "QueryString" }, { "selector": null, "variableName": "PostArgs" } ], "negationConditon": false, "operator": "Contains", "transforms": [ "Lowercase", "RemoveNulls" ] } ] ---------------
3-3. マッチ条件を削除 (remove サブコマンド)
$ az network application-gateway waf-policy custom-rule match-condition remove -h
Command
az network application-gateway waf-policy custom-rule match-condition remove : Remove a match
condition from an application gateway WAF policy custom rule.
Arguments
--index [Required] : Index of the match condition to remove.
Resource Id Arguments
--ids : One or more resource IDs (space-delimited). It should be a complete
resource ID containing all information of 'Resource Id' arguments. If
provided, no other 'Resource Id' arguments should be specified.
--name -n : Name of the WAF policy rule.
--policy-name : The name of the application gateway WAF policy.
--resource-group -g : Name of resource group. You can configure the default group using `az
configure --defaults group=<name>`.
--subscription : Name or ID of subscription. You can configure the default subscription
using `az account set -s NAME_OR_ID`.
$ az network application-gateway waf-policy custom-rule match-condition remove \ --resource-group 'testResourceGroup' \ --policy-name 'TestPolicy' \ --name 'TestCustomRule' \ --index 0
