Policies - Create Or Update
Create or update policy with specified rule set name within a resource group.
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/{policyName}?api-version=2025-10-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
policy
|
path | True |
string maxLength: 128 |
The name of the Web Application Firewall Policy. |
|
resource
|
path | True |
string minLength: 1maxLength: 80 pattern: ^[a-zA-Z0-9_\-\(\)\.]*[^\.]$ |
Name of the Resource group within the Azure subscription. |
|
subscription
|
path | True |
string |
The subscription credentials which uniquely identify the Microsoft Azure subscription. The subscription ID forms part of the URI for every service call. |
|
api-version
|
query | True |
string |
Client API version. |
Request Body
| Name | Type | Description |
|---|---|---|
| etag |
string |
Gets a unique read-only string that changes whenever the resource is updated. |
| location |
string |
Resource location. |
| properties.customRules |
Describes custom rules inside the policy. |
|
| properties.managedRules |
Describes managed rules inside the policy. |
|
| properties.policySettings |
Describes settings for the policy. |
|
| sku |
The pricing tier of web application firewall policy. Defaults to Classic_AzureFrontDoor if not specified. |
|
| tags |
object |
Resource tags. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
OK. The request has succeeded. |
|
| 201 Created |
Created. The request has been fulfilled and a new protection policy has been created. |
|
| 202 Accepted |
Accepted. The request has been accepted for processing and the operation will complete asynchronously. |
|
| Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
Creates specific policy
Sample request
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/Policy1?api-version=2025-10-01
{
"location": "WestUs",
"properties": {
"policySettings": {
"enabledState": "Enabled",
"mode": "Prevention",
"redirectUrl": "http://www.bing.com",
"customBlockResponseStatusCode": 429,
"customBlockResponseBody": "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
"requestBodyCheck": "Disabled",
"javascriptChallengeExpirationInMinutes": 30,
"captchaExpirationInMinutes": 30,
"logScrubbing": {
"state": "Enabled",
"scrubbingRules": [
{
"matchVariable": "RequestIPAddress",
"selectorMatchOperator": "EqualsAny",
"selector": null,
"state": "Enabled"
}
]
}
},
"customRules": {
"rules": [
{
"name": "Rule1",
"priority": 1,
"ruleType": "RateLimitRule",
"rateLimitThreshold": 1000,
"matchConditions": [
{
"matchVariable": "RemoteAddr",
"operator": "IPMatch",
"matchValue": [
"192.168.1.0/24",
"10.0.0.0/24"
]
}
],
"action": "Block"
},
{
"name": "Rule2",
"priority": 2,
"ruleType": "MatchRule",
"matchConditions": [
{
"matchVariable": "RemoteAddr",
"operator": "GeoMatch",
"matchValue": [
"CH"
]
},
{
"matchVariable": "RequestHeader",
"operator": "Contains",
"selector": "UserAgent",
"matchValue": [
"windows"
],
"transforms": [
"Lowercase"
]
}
],
"action": "Block"
},
{
"name": "Rule3",
"priority": 1,
"ruleType": "RateLimitRule",
"rateLimitThreshold": 1000,
"matchConditions": [
{
"matchVariable": "RemoteAddr",
"operator": "ServiceTagMatch",
"matchValue": [
"AzureBackup",
"AzureBotService"
]
}
],
"action": "CAPTCHA"
}
]
},
"managedRules": {
"managedRuleSets": [
{
"ruleSetType": "DefaultRuleSet",
"ruleSetVersion": "1.0",
"ruleSetAction": "Block",
"exclusions": [
{
"matchVariable": "RequestHeaderNames",
"selectorMatchOperator": "Equals",
"selector": "User-Agent"
}
],
"ruleGroupOverrides": [
{
"ruleGroupName": "SQLI",
"exclusions": [
{
"matchVariable": "RequestCookieNames",
"selectorMatchOperator": "StartsWith",
"selector": "token"
}
],
"rules": [
{
"ruleId": "942100",
"enabledState": "Enabled",
"action": "Redirect",
"exclusions": [
{
"matchVariable": "QueryStringArgNames",
"selectorMatchOperator": "Equals",
"selector": "query"
}
]
},
{
"ruleId": "942110",
"enabledState": "Disabled"
}
]
}
]
},
{
"ruleSetType": "Microsoft_HTTPDDoSRuleSet",
"ruleSetVersion": "1.0",
"ruleGroupOverrides": [
{
"ruleGroupName": "ExcessiveRequests",
"rules": [
{
"ruleId": "500100",
"enabledState": "Enabled",
"action": "Block",
"sensitivity": "High"
}
]
}
]
}
]
}
},
"sku": {
"name": "Premium_AzureFrontDoor"
}
}
Sample response
{
"name": "Policy1",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/Policy1",
"type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
"tags": {
"key1": "value1",
"key2": "value2"
},
"location": "WestUs",
"properties": {
"resourceState": "Enabled",
"provisioningState": "Succeeded",
"policySettings": {
"enabledState": "Enabled",
"mode": "Prevention",
"redirectUrl": "http://www.bing.com",
"customBlockResponseStatusCode": 429,
"customBlockResponseBody": "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
"requestBodyCheck": "Disabled",
"javascriptChallengeExpirationInMinutes": 30,
"logScrubbing": {
"state": "Enabled",
"scrubbingRules": [
{
"matchVariable": "RequestIPAddress",
"selectorMatchOperator": "EqualsAny",
"selector": null,
"state": "Enabled"
}
]
}
},
"customRules": {
"rules": [
{
"name": "Rule1",
"priority": 1,
"enabledState": "Enabled",
"ruleType": "RateLimitRule",
"rateLimitDurationInMinutes": 0,
"rateLimitThreshold": 1000,
"matchConditions": [
{
"matchVariable": "RemoteAddr",
"selector": null,
"operator": "IPMatch",
"negateCondition": false,
"matchValue": [
"192.168.1.0/24",
"10.0.0.0/24"
],
"transforms": []
}
],
"action": "Block"
},
{
"name": "Rule2",
"priority": 2,
"enabledState": "Enabled",
"ruleType": "MatchRule",
"rateLimitDurationInMinutes": 0,
"rateLimitThreshold": 0,
"matchConditions": [
{
"matchVariable": "RemoteAddr",
"selector": null,
"operator": "GeoMatch",
"negateCondition": false,
"matchValue": [
"CH"
]
},
{
"matchVariable": "RequestHeader",
"selector": "UserAgent",
"operator": "Contains",
"negateCondition": false,
"matchValue": [
"windows"
],
"transforms": [
"Lowercase"
]
}
],
"action": "Block"
},
{
"name": "rule3",
"enabledState": null,
"priority": 1,
"ruleType": "RateLimitRule",
"rateLimitDurationInMinutes": null,
"rateLimitThreshold": 1000,
"matchConditions": [
{
"matchVariable": "RemoteAddr",
"selector": null,
"operator": "ServiceTagMatch",
"negateCondition": false,
"matchValue": [
"AzureBackup",
"AzureBotService"
],
"transforms": []
}
],
"action": "CAPTCHA"
}
]
},
"managedRules": {
"managedRuleSets": [
{
"ruleSetType": "DefaultRuleSet",
"ruleSetVersion": "1.0",
"ruleSetAction": "Block",
"exclusions": [
{
"matchVariable": "RequestHeaderNames",
"selectorMatchOperator": "Equals",
"selector": "User-Agent"
}
],
"ruleGroupOverrides": [
{
"ruleGroupName": "SQLI",
"exclusions": [
{
"matchVariable": "RequestCookieNames",
"selectorMatchOperator": "StartsWith",
"selector": "token"
}
],
"rules": [
{
"ruleId": "942100",
"enabledState": "Enabled",
"action": "Redirect",
"exclusions": [
{
"matchVariable": "QueryStringArgNames",
"selectorMatchOperator": "Equals",
"selector": "query"
}
]
},
{
"ruleId": "942110",
"enabledState": "Disabled"
}
]
}
]
},
{
"ruleSetType": "Microsoft_HTTPDDoSRuleSet",
"ruleSetVersion": "1.0",
"ruleGroupOverrides": [
{
"ruleGroupName": "ExcessiveRequests",
"rules": [
{
"ruleId": "500100",
"enabledState": "Enabled",
"action": "Block",
"sensitivity": "High"
}
]
}
]
}
]
},
"frontendEndpointLinks": [],
"securityPolicyLinks": []
},
"sku": {
"name": "Premium_AzureFrontDoor"
}
}{
"name": "Policy1",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/Policy1",
"type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
"tags": {
"key1": "value1",
"key2": "value2"
},
"location": "WestUs",
"properties": {
"resourceState": "Enabled",
"provisioningState": "Succeeded",
"policySettings": {
"enabledState": "Enabled",
"mode": "Prevention",
"redirectUrl": "http://www.bing.com",
"customBlockResponseStatusCode": 429,
"customBlockResponseBody": "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
"requestBodyCheck": "Disabled",
"logScrubbing": {
"state": "Enabled",
"scrubbingRules": [
{
"matchVariable": "RequestIPAddress",
"selectorMatchOperator": "EqualsAny",
"selector": null,
"state": "Enabled"
}
]
}
},
"customRules": {
"rules": [
{
"name": "Rule1",
"priority": 1,
"enabledState": "Enabled",
"ruleType": "RateLimitRule",
"rateLimitDurationInMinutes": 0,
"rateLimitThreshold": 1000,
"matchConditions": [
{
"matchVariable": "RemoteAddr",
"selector": null,
"operator": "IPMatch",
"negateCondition": false,
"matchValue": [
"192.168.1.0/24",
"10.0.0.0/24"
],
"transforms": []
}
],
"action": "Block"
},
{
"name": "Rule2",
"priority": 2,
"enabledState": "Enabled",
"ruleType": "MatchRule",
"rateLimitDurationInMinutes": 0,
"rateLimitThreshold": 0,
"matchConditions": [
{
"matchVariable": "RemoteAddr",
"selector": null,
"operator": "GeoMatch",
"negateCondition": false,
"matchValue": [
"CH"
]
},
{
"matchVariable": "RequestHeader",
"selector": "UserAgent",
"operator": "Contains",
"negateCondition": false,
"matchValue": [
"windows"
],
"transforms": [
"Lowercase"
]
}
],
"action": "Block"
}
]
},
"managedRules": {
"managedRuleSets": [
{
"ruleSetType": "DefaultRuleSet",
"ruleSetVersion": "1.0",
"exclusions": [
{
"matchVariable": "RequestHeaderNames",
"selectorMatchOperator": "Equals",
"selector": "User-Agent"
}
],
"ruleGroupOverrides": [
{
"ruleGroupName": "SQLI",
"exclusions": [
{
"matchVariable": "RequestCookieNames",
"selectorMatchOperator": "StartsWith",
"selector": "token"
}
],
"rules": [
{
"ruleId": "942100",
"enabledState": "Enabled",
"action": "Redirect",
"exclusions": [
{
"matchVariable": "QueryStringArgNames",
"selectorMatchOperator": "Equals",
"selector": "query"
}
]
},
{
"ruleId": "942110",
"enabledState": "Disabled"
}
]
}
]
}
]
},
"frontendEndpointLinks": [],
"securityPolicyLinks": []
},
"sku": {
"name": "Classic_AzureFrontDoor"
}
}{
"name": "Policy1",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/Policy1",
"type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
"tags": {
"key1": "value1",
"key2": "value2"
},
"location": "WestUs",
"properties": {
"resourceState": "Enabled",
"provisioningState": "Succeeded",
"policySettings": {
"enabledState": "Enabled",
"mode": "Prevention",
"redirectUrl": "http://www.bing.com",
"customBlockResponseStatusCode": 429,
"customBlockResponseBody": "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==",
"requestBodyCheck": "Disabled",
"logScrubbing": {
"state": "Enabled",
"scrubbingRules": [
{
"matchVariable": "RequestIPAddress",
"selectorMatchOperator": "EqualsAny",
"selector": null,
"state": "Enabled"
}
]
}
},
"customRules": {
"rules": [
{
"name": "Rule1",
"priority": 1,
"enabledState": "Enabled",
"ruleType": "RateLimitRule",
"rateLimitDurationInMinutes": 0,
"rateLimitThreshold": 1000,
"matchConditions": [
{
"matchVariable": "RemoteAddr",
"selector": null,
"operator": "IPMatch",
"negateCondition": false,
"matchValue": [
"192.168.1.0/24",
"10.0.0.0/24"
],
"transforms": []
}
],
"action": "Block"
},
{
"name": "Rule2",
"priority": 2,
"enabledState": "Enabled",
"ruleType": "MatchRule",
"rateLimitDurationInMinutes": 0,
"rateLimitThreshold": 0,
"matchConditions": [
{
"matchVariable": "RemoteAddr",
"selector": null,
"operator": "GeoMatch",
"negateCondition": false,
"matchValue": [
"CH"
]
},
{
"matchVariable": "RequestHeader",
"selector": "UserAgent",
"operator": "Contains",
"negateCondition": false,
"matchValue": [
"windows"
],
"transforms": [
"Lowercase"
]
}
],
"action": "Block"
}
]
},
"managedRules": {
"managedRuleSets": [
{
"ruleSetType": "DefaultRuleSet",
"ruleSetVersion": "1.0",
"ruleSetAction": "Block",
"exclusions": [
{
"matchVariable": "RequestHeaderNames",
"selectorMatchOperator": "Equals",
"selector": "User-Agent"
}
],
"ruleGroupOverrides": [
{
"ruleGroupName": "SQLI",
"exclusions": [
{
"matchVariable": "RequestCookieNames",
"selectorMatchOperator": "StartsWith",
"selector": "token"
}
],
"rules": [
{
"ruleId": "942100",
"enabledState": "Enabled",
"action": "Redirect",
"exclusions": [
{
"matchVariable": "QueryStringArgNames",
"selectorMatchOperator": "Equals",
"selector": "query"
}
]
},
{
"ruleId": "942110",
"enabledState": "Disabled"
}
]
}
]
},
{
"ruleSetType": "Microsoft_HTTPDDoSRuleSet",
"ruleSetVersion": "1.0",
"ruleGroupOverrides": [
{
"ruleGroupName": "ExcessiveRequests",
"rules": [
{
"ruleId": "500100",
"enabledState": "Enabled",
"action": "Block",
"sensitivity": "High"
}
]
}
]
}
]
},
"frontendEndpointLinks": [],
"securityPolicyLinks": []
},
"sku": {
"name": "Premium_AzureFrontDoor"
}
}Definitions
| Name | Description |
|---|---|
|
scrubbing |
When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to. |
|
scrubbing |
Defines the state of a log scrubbing rule. Default value is enabled. |
|
Action |
Defines the action to take on rule match. |
|
Custom |
Defines contents of a web application rule |
|
Custom |
Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. |
|
Custom |
Defines contents of custom rules |
|
Error |
Error response indicates Front Door service is not able to process the incoming request. The reason is provided in the error message. |
|
Frontend |
Defines the Resource ID for a Frontend Endpoint. |
|
Group |
Describes the variables available to group the rate limit requests |
|
Managed |
Describes if the managed rule is in enabled or disabled state. |
|
Managed |
Exclude variables from managed rule evaluation. |
|
Managed |
The variable type to be excluded. |
|
Managed |
Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to. |
|
Managed |
Defines a managed rule group override setting. |
|
Managed |
Defines a managed rule group override setting. |
|
Managed |
Defines a managed rule set. |
|
Managed |
Defines the action to take when a managed rule set score threshold is met. |
|
Managed |
Defines the list of managed rule sets for the policy. |
|
Match |
Define a match condition. |
|
Match |
Request variable to compare with. |
| Operator |
Comparison type to use for matching with the variable value. |
|
Policy |
Describes if the policy is in enabled or disabled state. Defaults to Enabled if not specified. |
|
Policy |
Describes if it is in detection mode or prevention mode at policy level. |
|
Policy |
Describes if policy managed rules will inspect the request body content. |
|
Policy |
Resource status of the policy. |
|
Policy |
Defines top-level WebApplicationFirewallPolicy configuration settings. |
|
Routing |
Defines the Resource ID for a Routing Rule. |
|
Rule |
Describes type of rule. |
|
scrubbing |
The variable to be scrubbed from the logs. |
|
Security |
Defines the Resource ID for a Security Policy. |
|
Sensitivity |
Defines the sensitivity for the rule. |
| Sku |
The pricing tier of the web application firewall policy. |
|
Sku |
Name of the pricing tier. |
|
Transform |
Describes what transforms applied before matching. |
|
Variable |
Describes the supported variable for group by |
|
Web |
Defines web application firewall policy. |
|
Web |
Defines the contents of the log scrubbing rules. |
|
Web |
State of the log scrubbing config. Default value is Enabled. |
scrubbingRuleEntryMatchOperator
When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to.
| Value | Description |
|---|---|
| EqualsAny | |
| Equals |
scrubbingRuleEntryState
Defines the state of a log scrubbing rule. Default value is enabled.
| Value | Description |
|---|---|
| Enabled | |
| Disabled |
ActionType
Defines the action to take on rule match.
| Value | Description |
|---|---|
| Allow | |
| Block | |
| Log | |
| Redirect | |
| AnomalyScoring | |
| JSChallenge | |
| CAPTCHA |
CustomRule
Defines contents of a web application rule
| Name | Type | Description |
|---|---|---|
| action |
Describes what action to be applied when rule matches. |
|
| enabledState |
Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified. |
|
| groupBy |
Describes the list of variables to group the rate limit requests |
|
| matchConditions |
List of match conditions. |
|
| name |
string maxLength: 128 |
Describes the name of the rule. |
| priority |
integer |
Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value. |
| rateLimitDurationInMinutes |
integer minimum: 0maximum: 5 |
Time window for resetting the rate limit count. Default is 1 minute. |
| rateLimitThreshold |
integer minimum: 0 |
Number of allowed requests per client within the time window. |
| ruleType |
Describes type of rule. |
CustomRuleEnabledState
Describes if the custom rule is in enabled or disabled state. Defaults to Enabled if not specified.
| Value | Description |
|---|---|
| Disabled | |
| Enabled |
CustomRuleList
Defines contents of custom rules
| Name | Type | Description |
|---|---|---|
| rules |
List of rules |
ErrorResponse
Error response indicates Front Door service is not able to process the incoming request. The reason is provided in the error message.
| Name | Type | Description |
|---|---|---|
| code |
string |
Error code. |
| message |
string |
Error message indicating why the operation failed. |
FrontendEndpointLink
Defines the Resource ID for a Frontend Endpoint.
| Name | Type | Description |
|---|---|---|
| id |
string |
Resource ID. |
GroupByVariable
Describes the variables available to group the rate limit requests
| Name | Type | Description |
|---|---|---|
| variableName |
Describes the supported variable for group by |
ManagedRuleEnabledState
Describes if the managed rule is in enabled or disabled state.
| Value | Description |
|---|---|
| Disabled | |
| Enabled |
ManagedRuleExclusion
Exclude variables from managed rule evaluation.
| Name | Type | Description |
|---|---|---|
| matchVariable |
The variable type to be excluded. |
|
| selector |
string |
Selector value for which elements in the collection this exclusion applies to. |
| selectorMatchOperator |
Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to. |
ManagedRuleExclusionMatchVariable
The variable type to be excluded.
| Value | Description |
|---|---|
| RequestHeaderNames | |
| RequestCookieNames | |
| QueryStringArgNames | |
| RequestBodyPostArgNames | |
| RequestBodyJsonArgNames |
ManagedRuleExclusionSelectorMatchOperator
Comparison operator to apply to the selector when specifying which elements in the collection this exclusion applies to.
| Value | Description |
|---|---|
| Equals | |
| Contains | |
| StartsWith | |
| EndsWith | |
| EqualsAny |
ManagedRuleGroupOverride
Defines a managed rule group override setting.
| Name | Type | Description |
|---|---|---|
| exclusions |
Describes the exclusions that are applied to all rules in the group. |
|
| ruleGroupName |
string |
Describes the managed rule group to override. |
| rules |
List of rules that will be disabled. If none specified, all rules in the group will be disabled. |
ManagedRuleOverride
Defines a managed rule group override setting.
| Name | Type | Description |
|---|---|---|
| action |
Describes the override action to be applied when rule matches. |
|
| enabledState |
Describes if the managed rule is in enabled or disabled state. Defaults to Disabled if not specified. |
|
| exclusions |
Describes the exclusions that are applied to this specific rule. |
|
| ruleId |
string |
Identifier for the managed rule. |
| sensitivity |
Describes the override sensitivity to be applied when rule matches. |
ManagedRuleSet
Defines a managed rule set.
| Name | Type | Description |
|---|---|---|
| exclusions |
Describes the exclusions that are applied to all rules in the set. |
|
| ruleGroupOverrides |
Defines the rule group overrides to apply to the rule set. |
|
| ruleSetAction |
ruleSetAction |
|
| ruleSetType |
string |
Defines the rule set type to use. |
| ruleSetVersion |
string |
Defines the version of the rule set to use. |
ManagedRuleSetActionType
Defines the action to take when a managed rule set score threshold is met.
| Value | Description |
|---|---|
| Block | |
| Log | |
| Redirect |
ManagedRuleSetList
Defines the list of managed rule sets for the policy.
| Name | Type | Description |
|---|---|---|
| managedRuleSets |
List of rule sets. |
MatchCondition
Define a match condition.
| Name | Type | Description |
|---|---|---|
| matchValue |
string[] |
List of possible match values. |
| matchVariable |
Request variable to compare with. |
|
| negateCondition |
boolean |
Describes if the result of this condition should be negated. |
| operator |
Comparison type to use for matching with the variable value. |
|
| selector |
string |
Match against a specific key from the QueryString, PostArgs, RequestHeader or Cookies variables. Default is null. |
| transforms |
List of transforms. |
MatchVariable
Request variable to compare with.
| Value | Description |
|---|---|
| RemoteAddr | |
| RequestMethod | |
| QueryString | |
| PostArgs | |
| RequestUri | |
| RequestHeader | |
| RequestBody | |
| Cookies | |
| SocketAddr |
Operator
Comparison type to use for matching with the variable value.
| Value | Description |
|---|---|
| Any | |
| IPMatch | |
| GeoMatch | |
| Equal | |
| Contains | |
| LessThan | |
| GreaterThan | |
| LessThanOrEqual | |
| GreaterThanOrEqual | |
| BeginsWith | |
| EndsWith | |
| RegEx | |
| ServiceTagMatch |
PolicyEnabledState
Describes if the policy is in enabled or disabled state. Defaults to Enabled if not specified.
| Value | Description |
|---|---|
| Disabled | |
| Enabled |
PolicyMode
Describes if it is in detection mode or prevention mode at policy level.
| Value | Description |
|---|---|
| Prevention | |
| Detection |
PolicyRequestBodyCheck
Describes if policy managed rules will inspect the request body content.
| Value | Description |
|---|---|
| Disabled | |
| Enabled |
PolicyResourceState
Resource status of the policy.
| Value | Description |
|---|---|
| Creating | |
| Enabling | |
| Enabled | |
| Disabling | |
| Disabled | |
| Deleting |
PolicySettings
Defines top-level WebApplicationFirewallPolicy configuration settings.
| Name | Type | Description |
|---|---|---|
| captchaExpirationInMinutes |
integer (int32) minimum: 5maximum: 1440 |
Defines the Captcha cookie validity lifetime in minutes. This setting is only applicable to Premium_AzureFrontDoor. Value must be an integer between 5 and 1440 with the default value being 30. |
| customBlockResponseBody |
string pattern: ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$ |
If the action type is block, customer can override the response body. The body must be specified in base64 encoding. |
| customBlockResponseStatusCode |
integer |
If the action type is block, customer can override the response status code. |
| enabledState |
Describes if the policy is in enabled or disabled state. Defaults to Enabled if not specified. |
|
| javascriptChallengeExpirationInMinutes |
integer (int32) minimum: 5maximum: 1440 |
Defines the JavaScript challenge cookie validity lifetime in minutes. This setting is only applicable to Premium_AzureFrontDoor. Value must be an integer between 5 and 1440 with the default value being 30. |
| logScrubbing.scrubbingRules |
List of log scrubbing rules applied to the Web Application Firewall logs. |
|
| logScrubbing.state |
State of the log scrubbing config. Default value is Enabled. |
|
| mode |
Describes if it is in detection mode or prevention mode at policy level. |
|
| redirectUrl |
string |
If action type is redirect, this field represents redirect URL for the client. |
| requestBodyCheck |
Describes if policy managed rules will inspect the request body content. |
RoutingRuleLink
Defines the Resource ID for a Routing Rule.
| Name | Type | Description |
|---|---|---|
| id |
string |
Resource ID. |
RuleType
Describes type of rule.
| Value | Description |
|---|---|
| MatchRule | |
| RateLimitRule |
scrubbingRuleEntryMatchVariable
The variable to be scrubbed from the logs.
| Value | Description |
|---|---|
| RequestIPAddress | |
| RequestUri | |
| QueryStringArgNames | |
| RequestHeaderNames | |
| RequestCookieNames | |
| RequestBodyPostArgNames | |
| RequestBodyJsonArgNames |
SecurityPolicyLink
Defines the Resource ID for a Security Policy.
| Name | Type | Description |
|---|---|---|
| id |
string |
Resource ID. |
SensitivityType
Defines the sensitivity for the rule.
| Value | Description |
|---|---|
| Low |
Low Sensitivity - triggers the rule by larger spikes in traffic |
| Medium |
Medium Sensitivity - triggers the rule by moderate spikes in traffic |
| High |
High Sensitivity - triggers the rule by smaller spikes in traffic |
Sku
The pricing tier of the web application firewall policy.
| Name | Type | Description |
|---|---|---|
| name |
Name of the pricing tier. |
SkuName
Name of the pricing tier.
| Value | Description |
|---|---|
| Classic_AzureFrontDoor | |
| Standard_AzureFrontDoor | |
| Premium_AzureFrontDoor |
TransformType
Describes what transforms applied before matching.
| Value | Description |
|---|---|
| Lowercase | |
| Uppercase | |
| Trim | |
| UrlDecode | |
| UrlEncode | |
| RemoveNulls |
VariableName
Describes the supported variable for group by
| Value | Description |
|---|---|
| SocketAddr | |
| GeoLocation | |
| None |
WebApplicationFirewallPolicy
Defines web application firewall policy.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Gets a unique read-only string that changes whenever the resource is updated. |
| id |
string |
Resource ID. |
| location |
string |
Resource location. |
| name |
string |
Resource name. |
| properties.customRules |
Describes custom rules inside the policy. |
|
| properties.frontendEndpointLinks |
Describes Frontend Endpoints associated with this Web Application Firewall policy. |
|
| properties.managedRules |
Describes managed rules inside the policy. |
|
| properties.policySettings |
Describes settings for the policy. |
|
| properties.provisioningState |
string |
Provisioning state of the policy. |
| properties.resourceState |
Resource status of the policy. |
|
| properties.routingRuleLinks |
Describes Routing Rules associated with this Web Application Firewall policy. |
|
| properties.securityPolicyLinks |
Describes Security Policy associated with this Web Application Firewall policy. |
|
| sku |
The pricing tier of web application firewall policy. Defaults to Classic_AzureFrontDoor if not specified. |
|
| tags |
object |
Resource tags. |
| type |
string |
Resource type. |
WebApplicationFirewallScrubbingRules
Defines the contents of the log scrubbing rules.
| Name | Type | Description |
|---|---|---|
| matchVariable |
The variable to be scrubbed from the logs. |
|
| selector |
string |
When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to. |
| selectorMatchOperator |
When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to. |
|
| state |
Defines the state of a log scrubbing rule. Default value is enabled. |
WebApplicationFirewallScrubbingState
State of the log scrubbing config. Default value is Enabled.
| Value | Description |
|---|---|
| Enabled | |
| Disabled |