CustomBlockRepsonse for Azure Application Gateway WAF
See original GitHub issueRelated command
New-AzApplicationGatewayFirewallPolicySetting
Resource Provider
Microsoft.Compute/Network
Description of Feature or Work Requested
This feature is for Azure Application Gateway WAF. CustomBlockResponse enables customers to send a custom status code and a HTML body incase there is a WAF hit instead of the conventional 403.
We are adding two new fields under Azure Application Gateway Firewall Policy settings.
- CustomBlockResponseStatusCode - This field accepts an integer.
- CustomBlockResponseBody - This field accepts a string, which has to be converted to base64 encoding.
Note: The above two fields are optional parameters for New-AzApplicationGatewayFirewallPolicySetting
Minimum API Version Required
2022-07-01
Swagger PR link / SDK link
https://github.com/Azure/azure-rest-api-specs/pull/21113
SDK: Microsoft.Azure.Management.Network.25.0.0.nupkg
Request Example
{ "RequestUri": "/subscriptions/f7e1a56e-347b-4103-87c7-e775a3e11ac5/resourceGroups/ps447/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/ps5517?api-version=2022-07-01", "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvZjdlMWE1NmUtMzQ3Yi00MTAzLTg3YzctZTc3NWEzZTExYWM1L3Jlc291cmNlR3JvdXBzL3BzNDQ3L3Byb3ZpZGVycy9NaWNyb3NvZnQuTmV0d29yay9BcHBsaWNhdGlvbkdhdGV3YXlXZWJBcHBsaWNhdGlvbkZpcmV3YWxsUG9saWNpZXMvcHM1NTE3P2FwaS12ZXJzaW9uPTIwMjItMDctMDE=", "RequestMethod": "GET", "RequestHeaders": { "x-ms-client-request-id": [ "aa4e44e0-70b4-469c-a293-375ad52127cf" ], "Accept-Language": [ "en-US" ], "User-Agent": [ "FxVersion/4.700.22.51102", "OSName/Windows", "OSVersion/Microsoft.Windows.10.0.22621", "Microsoft.Azure.Management.Network.NetworkManagementClient/25.0.0.0" ] }, "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "ETag": [ "W/\"cab21d7b-8ee3-463c-8d26-4a2b20dfc76f\"" ], "x-ms-request-id": [ "d8ae6c56-c443-4cbe-a0bc-cf1c27dd45d9" ], "x-ms-correlation-request-id": [ "499311e7-0f21-45a4-a302-b05d822b6788" ], "x-ms-arm-service-request-id": [ "37131a1a-72a0-47ce-950c-c83aeec5ba20" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "Server": [ "Microsoft-HTTPAPI/2.0", "Microsoft-HTTPAPI/2.0" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11904" ], "x-ms-routing-request-id": [ "JIOINDIACENTRAL:20221115T062218Z:499311e7-0f21-45a4-a302-b05d822b6788" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ "Tue, 15 Nov 2022 06:22:18 GMT" ], "Content-Length": [ "965" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, "ResponseBody": "{\r\n \"name\": \"ps5517\",\r\n \"id\": \"/subscriptions/f7e1a56e-347b-4103-87c7-e775a3e11ac5/resourceGroups/ps447/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/ps5517\",\r\n \"etag\": \"W/\\\"cab21d7b-8ee3-463c-8d26-4a2b20dfc76f\\\"\",\r\n \"type\": \"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies\",\r\n \"location\": \"westus2\",\r\n \"properties\": {\r\n \"provisioningState\": \"Succeeded\",\r\n \"customRules\": [],\r\n \"policySettings\": {\r\n \"requestBodyCheck\": true,\r\n \"maxRequestBodySizeInKb\": 70,\r\n \"fileUploadLimitInMb\": 70,\r\n \"state\": \"Enabled\",\r\n \"mode\": \"Prevention\",\r\n \"customBlockResponseStatusCode\": 405,\r\n \"customBlockResponseBody\": \"U29ycnkhIEZvcmJpZGRlbg==\"\r\n },\r\n \"managedRules\": {\r\n \"managedRuleSets\": [\r\n {\r\n \"ruleSetType\": \"OWASP\",\r\n \"ruleSetVersion\": \"3.2\",\r\n \"ruleGroupOverrides\": []\r\n }\r\n ],\r\n \"exclusions\": []\r\n }\r\n }\r\n}", "StatusCode": 200 }
Target Date
2022-12-06
Additional context
No response
Issue Analytics
- State:
- Created 10 months ago
- Comments:7 (2 by maintainers)
Top GitHub Comments
az network application-gateway waf-policy policy-setting update --policy-name –resource-group [–add] [–file-upload-limit-in-mb] [–force-string] [–max-request-body-size-in-kb] [–mode {Detection, Prevention}] [–remove] [–request-body-check {false, true}] [–set] [–state {Disabled, Enabled}] The above is the existing command. New fields to be added are
CustomBlockResponseStatusCode - This field accepts an integer. CustomBlockResponseBody - This field accepts a string, which has to be converted to base64 encoding.
@akshaym6 As bandwidth limited, we planned this feature in the next sprint (will be released around Feb 2023).