はじめに
本記事では Application Gateway WAF のポリシーやカスタムルールの制御(作成・削除など)を azコマンド経由で実行する方法を説明します。
Azure CLI(azコマンド)で Application Gateway WAF を操作
1. WAFポリシー
$ az network application-gateway waf-policy -h Group az network application-gateway waf-policy : Manage application gateway web application firewall (WAF) policies. Subgroups: custom-rule : Manage application gateway web application firewall (WAF) policy custom rules. managed-rule : Manage managed rules of a waf-policy. Visit: https://docs.microsoft.com/en- us/azure/web-application-firewall/afds/afds-overview. policy-setting : Defines contents of a web application firewall global configuration. Commands: create : Create an application gateway WAF policy. delete : Delete an application gateway WAF policy. list : List application gateway WAF policies. show : Get the details of an application gateway WAF policy. update : Update an application gateway WAF policy. wait : Place the CLI in a waiting state until a condition of the application gateway WAF policy is met.
1-1. WAFポリシーの作成 (create サブコマンド)
createサブコマンドのヘルプ
$ az network application-gateway waf-policy create -h Command az network application-gateway waf-policy create : Create an application gateway WAF policy. Arguments --name -n [Required] : The name of the application gateway WAF policy. --resource-group -g [Required] : Name of resource group. You can configure the default group using `az configure --defaults group=<name>`. --location -l : Location. Values from: `az account list-locations`. You can configure the default location using `az configure --defaults location=<location>`. --tags : Space-separated tags: key[=value] [key[=value] ...]. Use '' to clear existing tags. Examples Create an application gateway WAF policy. (autogenerated) az network application-gateway waf-policy create --name MyApplicationGatewayWAFPolicy --resource-group MyResourceGroup
$ az network application-gateway waf-policy create \ --name TestPolicy \ --resource-group testResourceGroup
1-2. WAFポリシーの詳細表示 (show サブコマンド)
showサブコマンドのヘルプ
$ az network application-gateway waf-policy show \ --resource-group 'testResourceGroup' \ --name 'TestPolicy' ----- 出力 ----- { "applicationGateways": null, "customRules": [], "etag": "W/\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\"", "httpListeners": null, "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testResourceGroup/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/TestPolicy", "location": "japaneast", "managedRules": { "exclusions": [], "managedRuleSets": [ { "ruleGroupOverrides": [], "ruleSetType": "OWASP", "ruleSetVersion": "3.0" } ] }, "name": "TestPolicy", "pathBasedRules": null, "policySettings": { "fileUploadLimitInMb": 100, "maxRequestBodySizeInKb": 128, "mode": "Detection", "requestBodyCheck": true, "state": "Disabled" }, "provisioningState": "Succeeded", "resourceGroup": "testResourceGroup", "resourceState": null, "tags": null, "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies" } ---------------
2. カスタムルール
$ az network application-gateway waf-policy custom-rule -h Group az network application-gateway waf-policy custom-rule : Manage application gateway web application firewall (WAF) policy custom rules. Subgroups: match-condition : Manage application gateway web application firewall (WAF) policies. Commands: create : Create an application gateway WAF policy custom rule. delete : Delete an application gateway WAF policy custom rule. list : List application gateway WAF policy custom rules. show : Get the details of an application gateway WAF policy custom rule. update : Update an application gateway WAF policy custom rule.
2-1. カスタムルールの作成 (create サブコマンド)
createサブコマンドのヘルプ
$ az network application-gateway waf-policy custom-rule create -h Command az network application-gateway waf-policy custom-rule create : Create an application gateway WAF policy custom rule. Arguments --action [Required] : Action to take. Allowed values: Allow, Block, Log. --name -n [Required] : Name of the WAF policy rule. --policy-name [Required] : The name of the application gateway WAF policy. --priority [Required] : Rule priority. Lower values are evaluated prior to higher values. --resource-group -g [Required] : Name of resource group. You can configure the default group using `az configure --defaults group=<name>`. --rule-type [Required] : Type of rule. Allowed values: Invalid, MatchRule.
ポリシー「TestPolicy」にカスタムルール「TestCustomRule」を作成。
$ az network application-gateway waf-policy custom-rule create \ --action 'Block' \ --name 'TestCustomRule' \ --policy-name 'TestPolicy' \ --priority '50' \ --resource-group 'testResourceGroup' \ --rule-type 'MatchRule' ----- 出力 ----- { "action": "Block", "etag": null, "matchConditions": [], "name": "TestCustomRule", "priority": 50, "ruleType": "MatchRule", "skippedManagedRuleSets": [] } ---------------
2-2. カスタムルールの削除 (delete サブコマンド)
deleteサブコマンドのヘルプ
$ az network application-gateway waf-policy custom-rule delete -h Command az network application-gateway waf-policy custom-rule delete : Delete an application gateway WAF policy custom rule. Arguments Resource Id Arguments --ids : One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. If provided, no other 'Resource Id' arguments should be specified. --name -n : Name of the WAF policy rule. --policy-name : The name of the application gateway WAF policy. --resource-group -g : Name of resource group. You can configure the default group using `az configure --defaults group=<name>`. --subscription : Name or ID of subscription. You can configure the default subscription using `az account set -s NAME_OR_ID`.
リソースグループ「testResourceGroup」のポリシー「TestPolicy」内のカスタムルール「TestCustomRule」を削除。
$ az network application-gateway waf-policy custom-rule delete \ --resource-group 'testResourceGroup' \ --policy-name 'TestPolicy' \ --name 'TestCustomRule'
2-3. カスタムルールの一覧 (list サブコマンド)
listサブコマンドのヘルプ
$ az network application-gateway waf-policy custom-rule list \ --resource-group 'testResourceGroup' \ --policy-name 'TestPolicy' ----- 出力 ----- [ { "action": "Block", "etag": null, "matchConditions": [ { "matchValues": [ "hoge", "fuga" ], "matchVariables": [ { "selector": null, "variableName": "QueryString" }, { "selector": null, "variableName": "PostArgs" } ], "negationConditon": false, "operator": "Contains", "transforms": [ "Lowercase", "RemoveNulls" ] } ], "name": "TestCustomRule", "priority": 50, "ruleType": "MatchRule", "skippedManagedRuleSets": [] } ] ---------------
2-4. カスタムルールの詳細 (show サブコマンド)
カスタムルールを指定して詳細を確認することができます。
showサブコマンドのヘルプ
$ az network application-gateway waf-policy show -h Command az network application-gateway waf-policy show : Get the details of an application gateway WAF policy. Arguments Resource Id Arguments --ids : One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. If provided, no other 'Resource Id' arguments should be specified. --name -n : The name of the application gateway WAF policy. --resource-group -g : Name of resource group. You can configure the default group using `az configure --defaults group=<name>`. --subscription : Name or ID of subscription. You can configure the default subscription using `az account set -s NAME_OR_ID`. Global Arguments --debug : Increase logging verbosity to show all debug logs. --help -h : Show this help message and exit. --only-show-errors : Only show errors, suppressing warnings. --output -o : Output format. Allowed values: json, jsonc, none, table, tsv, yaml, yamlc. Default: json. --query : JMESPath query string. See http://jmespath.org/ for more information and examples. --verbose : Increase logging verbosity. Use --debug for full debug logs. Examples Get the details of an application gateway WAF policy. (autogenerated) az network application-gateway waf-policy show --name MyApplicationGatewayWAFPolicy --resource-group MyResourceGroup
カスタムルール「TestCustomRule」の詳細を出力してみます。
$ az network application-gateway waf-policy custom-rule show \ --resource-group 'testResourceGroup' \ --policy-name 'TestPolicy' \ --name 'TestCustomRule' ----- 出力 ----- { "action": "Block", "etag": null, "matchConditions": [ { "matchValues": [ "hoge", "fuga" ], "matchVariables": [ { "selector": null, "variableName": "QueryString" }, { "selector": null, "variableName": "PostArgs" } ], "negationConditon": false, "operator": "Contains", "transforms": [ "Lowercase", "RemoveNulls" ] } ], "name": "TestCustomRule", "priority": 50, "ruleType": "MatchRule", "skippedManagedRuleSets": [] } --------------------
2-5. カスタムルールの更新 (update サブコマンド)
$ az network application-gateway waf-policy custom-rule update -h Command az network application-gateway waf-policy custom-rule update : Update an application gateway WAF policy custom rule. Arguments --action : Action to take. Allowed values: Allow, Block, Log. --priority : Rule priority. Lower values are evaluated prior to higher values. --rule-type : Type of rule. Allowed values: Invalid, MatchRule. Generic Update Arguments --add : Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>. --force-string : When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON. --remove : Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove. --set : Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>. Resource Id Arguments --ids : One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. If provided, no other 'Resource Id' arguments should be specified. --name -n : Name of the WAF policy rule. --policy-name : The name of the application gateway WAF policy. --resource-group -g : Name of resource group. You can configure the default group using `az configure --defaults group=<name>`. --subscription : Name or ID of subscription. You can configure the default subscription using `az account set -s NAME_OR_ID`.
3. マッチ条件
$ az network application-gateway waf-policy custom-rule match-condition -h Group az network application-gateway waf-policy custom-rule match-condition : Manage application gateway web application firewall (WAF) policies. Commands: add : A match condition to an application gateway WAF policy custom rule. list : List application gateway WAF policy custom rule match conditions. remove : Remove a match condition from an application gateway WAF policy custom rule.
3-1. マッチ条件を追加 (add サブコマンド)
$ az network application-gateway waf-policy custom-rule match-condition add -h Command az network application-gateway waf-policy custom-rule match-condition add : A match condition to an application gateway WAF policy custom rule. Arguments --match-variables [Required] : Space-separated list of variables to use when matching. Variable values: RemoteAddr, RequestMethod, QueryString, PostArgs, RequestUri, RequestHeaders, RequestBody, RequestCookies. --operator [Required] : Operator for matching. Allowed values: BeginsWith, Contains, EndsWith, Equal, GeoMatch, GreaterThan, GreaterThanOrEqual, IPMatch, LessThan, LessThanOrEqual, Regex. --values [Required] : Space-separated list of values to match. --negate : Match the negative of the condition. Allowed values: false, true. --transforms : Space-separated list of transforms to apply when matching. Allowed values: HtmlEntityDecode, Lowercase, RemoveNulls, Trim, UrlDecode, UrlEncode. Resource Id Arguments --ids : One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. If provided, no other 'Resource Id' arguments should be specified. --name -n : Name of the WAF policy rule. --policy-name : The name of the application gateway WAF policy. --resource-group -g : Name of resource group. You can configure the default group using `az configure --defaults group=<name>`. --subscription : Name or ID of subscription. You can configure the default subscription using `az account set -s NAME_OR_ID`.
実際に以下の表のマッチ条件を作成してみます。
マッチ条件 | |
---|---|
Match variable | ["QueryString", "PostArgs"] |
Operator | "Contains" |
Match values | ["hoge", "fuga"] |
Transformations | ["Lowercase", "RemoveNulls"] |
$ az network application-gateway waf-policy custom-rule match-condition add \ --resource-group 'testResourceGroup' \ --policy-name 'TestPolicy' \ --name 'TestCustomRule' \ --match-variables 'QueryString' 'PostArgs' \ --operator 'Contains' \ --values 'hoge' 'fuga' \ --transforms 'Lowercase' 'RemoveNulls' ----- 出力 ----- { "matchValues": [ "hoge", "fuga" ], "matchVariables": [ { "selector": null, "variableName": "QueryString" }, { "selector": null, "variableName": "PostArgs" } ], "negationConditon": null, "operator": "Contains", "transforms": [ "Lowercase", "RemoveNulls" ] } ---------------
Azureのダッシュボード から作成されたことが確認できました。
3-2. マッチ条件の一覧 (list サブコマンド)
$ az network application-gateway waf-policy custom-rule match-condition list \ --resource-group 'testResourceGroup' \ --policy-name 'TestPolicy' \ --name 'TestCustomRule' ----- 出力 ----- [ { "matchValues": [ "hoge", "fuga" ], "matchVariables": [ { "selector": null, "variableName": "QueryString" }, { "selector": null, "variableName": "PostArgs" } ], "negationConditon": false, "operator": "Contains", "transforms": [ "Lowercase", "RemoveNulls" ] } ] ---------------
3-3. マッチ条件を削除 (remove サブコマンド)
$ az network application-gateway waf-policy custom-rule match-condition remove -h Command az network application-gateway waf-policy custom-rule match-condition remove : Remove a match condition from an application gateway WAF policy custom rule. Arguments --index [Required] : Index of the match condition to remove. Resource Id Arguments --ids : One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. If provided, no other 'Resource Id' arguments should be specified. --name -n : Name of the WAF policy rule. --policy-name : The name of the application gateway WAF policy. --resource-group -g : Name of resource group. You can configure the default group using `az configure --defaults group=<name>`. --subscription : Name or ID of subscription. You can configure the default subscription using `az account set -s NAME_OR_ID`.
$ az network application-gateway waf-policy custom-rule match-condition remove \ --resource-group 'testResourceGroup' \ --policy-name 'TestPolicy' \ --name 'TestCustomRule' \ --index 0