yonzhan
commented
5 months ago Thank you for opening this issue, we will look into it.
Open alonzop opened 5 months ago
yonzhan
commented
5 months ago Thank you for opening this issue, we will look into it.
Describe the bug
bug is captured here - https://portal.microsofticm.com/imp/v3/incidents/details/508049772/home
az network application-gateway waf-policy managed-rule rule-set update: 'Microsoft_DefaultRuleSet' is not a valid value for '--type'. Allowed values: Microsoft_BotManagerRuleSet, OWASP.
Did you mean 'Microsoft_BotManagerRuleSet' ?
Azure CLi does not work when specifying the --type as OWASP
eric [ ~ ]$ az network application-gateway waf-policy managed-rule rule-set update --policy-name testing --resource-group L200 --type OWASP --version 2.1
(ApplicationGatewayFirewallUnknownRuleSetVersion) RuleSetVersion '2.1' is unsupported for specified RuleSetType 'OWASP' for Application Gateway Firewall in context '/subscriptions/70f364fa-1437-4028-bfc6-56a6ed091302/resourceGroups/L200/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/testing'.
Code: ApplicationGatewayFirewallUnknownRuleSetVersion
Message: RuleSetVersion '2.1' is unsupported for specified RuleSetType 'OWASP' for Application Gateway Firewall in context '/subscriptions/70f364fa-1437-4028-bfc6-56a6ed091302/resourceGroups/L200/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/testing'.
However, the following works in PowerShell:
$firewallPolicy = Get-AzApplicationGatewayFirewallPolicy -ResourceGroupName l200 -Name testing
$ruleSetVersion = "2.1"
$ruleSetType = "Microsoft_DefaultRuleSet"
$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType $ruleSetType -RuleSetVersion $ruleSetVersion
$managedrule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet
Set-AzApplicationGatewayFirewallPolicy -Name $firewallPolicy.Name -ResourceGroupName $firewallPolicy.ResourceGroupName -ManagedRule $managedrule
This appears to be a bug in CLI when PowerShell and Azure Portal support the same functionalities.
Related command
az network application-gateway waf-policy managed-rule rule-set update: 'Microsoft_DefaultRuleSet' is not a valid value for '--type'. Allowed values: Microsoft_BotManagerRuleSet, OWASP.
Errors
(ApplicationGatewayFirewallUnknownRuleSetVersion) RuleSetVersion '2.1' is unsupported for specified RuleSetType 'OWASP' for Application Gateway Firewall in context '/subscriptions/70f364fa-1437-4028-bfc6-56a6ed091302/resourceGroups/L200/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/testing'.
Code: ApplicationGatewayFirewallUnknownRuleSetVersion
Message: RuleSetVersion '2.1' is unsupported for specified RuleSetType 'OWASP' for Application Gateway Firewall in context '/subscriptions/70f364fa-1437-4028-bfc6-56a6ed091302/resourceGroups/L200/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/testing'.
Issue script & Debug output
n/a
Expected behavior
RuleSetType should support Microsoft_DefaultRuleSet RuleSetVersion should support 2.1
same as az network application-gateway waf-policy create,
even the documentation needs to be updated - from https://learn.microsoft.com/en-us/cli/azure/network/application-gateway/waf-policy/managed-rule/rule-set?view=azure-cli-latest#az-network-application-gateway-waf-policy-managed-rule-rule-set-update
az network application-gateway waf-policy managed-rule rule-set update --policy-name --resource-group --type {Microsoft_BotManagerRuleSet, OWASP} --version {0.1, 1.0, 2.1, 2.2.9, 3.0, 3.1, 3.2} [--group-name] [--rule]
Environment Summary
latest z cli
Additional context
looks like it was added to https://learn.microsoft.com/en-us/cli/azure/network/application-gateway/waf-policy?view=azure-cli-latest#az-network-application-gateway-waf-policy-create but missed the update