@@ -2717,6 +2717,171 @@ function Test-ApplicationGatewayWithFirewallPolicy
27172717 }
27182718}
27192719
2720+ <#
2721+ . SYNOPSIS
2722+ Application gateway v2 top level waf tests
2723+ #>
2724+ function Test-ApplicationGatewayFirewallPolicyExclusions
2725+ {
2726+ # Setup
2727+ $location = Get-ProviderLocation " Microsoft.Network/applicationGateways" " West US 2"
2728+
2729+ $rgname = Get-ResourceGroupName
2730+ $wafPolicy = Get-ResourceName
2731+
2732+ try
2733+ {
2734+ $resourceGroup = New-AzResourceGroup - Name $rgname - Location $location - Tags @ { testtag = " APPGw tag"
2735+
2736+ # WAF Policy and Custom Rule
2737+ $variable = New-AzApplicationGatewayFirewallMatchVariable - VariableName RequestHeaders - Selector Content- Length
2738+ $condition = New-AzApplicationGatewayFirewallCondition - MatchVariable $variable - Operator GreaterThan - MatchValue 1000 - Transform Lowercase - NegationCondition $False
2739+ $rule = New-AzApplicationGatewayFirewallCustomRule - Name example - Priority 2 - RuleType MatchRule - MatchCondition $condition - Action Block
2740+ $policySettings = New-AzApplicationGatewayFirewallPolicySetting - Mode Prevention - State Enabled - MaxFileUploadInMb 70 - MaxRequestBodySizeInKb 70
2741+ $managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet - RuleSetType " OWASP" - RuleSetVersion " 3.2"
2742+ $managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule - ManagedRuleSet $managedRuleSet
2743+ New-AzApplicationGatewayFirewallPolicy - Name $wafPolicy - ResourceGroupName $rgname - Location $location - ManagedRule $managedRule - PolicySetting $policySettings
2744+
2745+ $policy = Get-AzApplicationGatewayFirewallPolicy - Name $wafPolicy - ResourceGroupName $rgname
2746+ $policy.CustomRules = $rule
2747+ Set-AzApplicationGatewayFirewallPolicy - InputObject $policy
2748+
2749+ $policy = Get-AzApplicationGatewayFirewallPolicy - Name $wafPolicy - ResourceGroupName $rgname
2750+
2751+ # Second check firewll policy
2752+ Assert-AreEqual $policy.CustomRules [0 ].Name $rule.Name
2753+ Assert-AreEqual $policy.CustomRules [0 ].RuleType $rule.RuleType
2754+ Assert-AreEqual $policy.CustomRules [0 ].Action $rule.Action
2755+ Assert-AreEqual $policy.CustomRules [0 ].Priority $rule.Priority
2756+ Assert-AreEqual $policy.CustomRules [0 ].MatchConditions[0 ].OperatorProperty $rule.MatchConditions [0 ].OperatorProperty
2757+ Assert-AreEqual $policy.CustomRules [0 ].MatchConditions[0 ].Transforms[0 ] $rule.MatchConditions [0 ].Transforms[0 ]
2758+ Assert-AreEqual $policy.CustomRules [0 ].MatchConditions[0 ].NegationConditon $rule.MatchConditions [0 ].NegationConditon
2759+ Assert-AreEqual $policy.CustomRules [0 ].MatchConditions[0 ].MatchValues[0 ] $rule.MatchConditions [0 ].MatchValues[0 ]
2760+ Assert-AreEqual $policy.CustomRules [0 ].MatchConditions[0 ].MatchVariables[0 ].VariableName $rule.MatchConditions [0 ].MatchVariables[0 ].VariableName
2761+ Assert-AreEqual $policy.CustomRules [0 ].MatchConditions[0 ].MatchVariables[0 ].Selector $rule.MatchConditions [0 ].MatchVariables[0 ].Selector
2762+ Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
2763+ Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
2764+ Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
2765+ Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
2766+ Assert-AreEqual $policy.PolicySettings.State $policySettings.State
2767+
2768+ # Add Exclusions and disabled rules to the firewall policy
2769+ $exclusionEntry1 = New-AzApplicationGatewayFirewallPolicyExclusion - MatchVariable RequestArgNames - SelectorMatchOperator Contains - Selector Bingo
2770+ $exclusionEntry2 = New-AzApplicationGatewayFirewallPolicyExclusion - MatchVariable RequestArgValues - SelectorMatchOperator Contains - Selector Bingo
2771+ $exclusionEntry3 = New-AzApplicationGatewayFirewallPolicyExclusion - MatchVariable RequestArgKeys - SelectorMatchOperator Contains - Selector Bingo
2772+ $exclusionEntry4 = New-AzApplicationGatewayFirewallPolicyExclusion - MatchVariable RequestHeaderNames - SelectorMatchOperator Contains - Selector Bingo
2773+ $exclusionEntry5 = New-AzApplicationGatewayFirewallPolicyExclusion - MatchVariable RequestHeaderValues - SelectorMatchOperator Contains - Selector Bingo
2774+ $exclusionEntry6 = New-AzApplicationGatewayFirewallPolicyExclusion - MatchVariable RequestHeaderKeys - SelectorMatchOperator Contains - Selector Bingo
2775+ $exclusionEntry7 = New-AzApplicationGatewayFirewallPolicyExclusion - MatchVariable RequestCookieNames - SelectorMatchOperator Contains - Selector Bingo
2776+ $exclusionEntry8 = New-AzApplicationGatewayFirewallPolicyExclusion - MatchVariable RequestCookieValues - SelectorMatchOperator Contains - Selector Bingo
2777+ $exclusionEntry9 = New-AzApplicationGatewayFirewallPolicyExclusion - MatchVariable RequestCookieKeys - SelectorMatchOperator Contains - Selector Bingo
2778+
2779+ $ruleOverrideEntry1 = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride - RuleId 942100
2780+ $ruleOverrideEntry2 = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride - RuleId 942110
2781+ $sqlRuleGroupOverrideEntry = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride - RuleGroupName REQUEST-942 - APPLICATION- ATTACK- SQLI - Rule $ruleOverrideEntry1 , $ruleOverrideEntry2
2782+
2783+ $ruleOverrideEntry3 = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride - RuleId 941100
2784+ $xssRuleGroupOverrideEntry = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride - RuleGroupName REQUEST-941 - APPLICATION- ATTACK- XSS - Rule $ruleOverrideEntry3
2785+
2786+ $managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet - RuleSetType " OWASP" - RuleSetVersion " 3.2" - RuleGroupOverride $sqlRuleGroupOverrideEntry , $xssRuleGroupOverrideEntry
2787+ $managedRules = New-AzApplicationGatewayFirewallPolicyManagedRule - ManagedRuleSet $managedRuleSet - Exclusion $exclusionEntry1 , $exclusionEntry2 , $exclusionEntry3 , $exclusionEntry4 , $exclusionEntry5 , $exclusionEntry6 , $exclusionEntry7 , $exclusionEntry8 , $exclusionEntry9
2788+ $policy = Get-AzApplicationGatewayFirewallPolicy - Name $wafPolicy - ResourceGroupName $rgname
2789+ $policySettings = New-AzApplicationGatewayFirewallPolicySetting - Mode Prevention - State Enabled - MaxFileUploadInMb 750 - MaxRequestBodySizeInKb 128
2790+ $policy.managedRules = $managedRules
2791+ $policy.PolicySettings = $policySettings
2792+ Set-AzApplicationGatewayFirewallPolicy - InputObject $policy
2793+
2794+ # Get firewall policy
2795+ $policy = Get-AzApplicationGatewayFirewallPolicy - Name $wafPolicy - ResourceGroupName $rgname
2796+ Assert-AreEqual $policy.ManagedRules.ManagedRuleSets.Count 1
2797+ Assert-AreEqual $policy.ManagedRules.ManagedRuleSets [0 ].RuleGroupOverrides.Count 2
2798+ Assert-AreEqual $policy.ManagedRules.Exclusions.Count 9
2799+ Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
2800+ Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
2801+ Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
2802+ Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
2803+ Assert-AreEqual $policy.PolicySettings.State $policySettings.State
2804+ }
2805+ finally
2806+ {
2807+ # Cleanup
2808+ Clean - ResourceGroup $rgname
2809+ }
2810+ }
2811+
2812+ <#
2813+ . SYNOPSIS
2814+ Application gateway v2 waf policy with per rule exclusions
2815+ #>
2816+ function Test-ApplicationGatewayFirewallPolicyWithPerRuleExclusions
2817+ {
2818+ # Setup
2819+ $location = Get-ProviderLocation " Microsoft.Network/applicationGateways" " West US 2"
2820+
2821+ $rgname = Get-ResourceGroupName
2822+ $wafPolicyName = Get-ResourceName
2823+
2824+ try
2825+ {
2826+ $resourceGroup = New-AzResourceGroup - Name $rgname - Location $location - Tags @ { testtag = " APPGw tag"
2827+
2828+ # WAF Policy and Custom Rule
2829+ $variable = New-AzApplicationGatewayFirewallMatchVariable - VariableName RequestHeaders - Selector Content- Length
2830+ $condition = New-AzApplicationGatewayFirewallCondition - MatchVariable $variable - Operator GreaterThan - MatchValue 1000 - Transform Lowercase - NegationCondition $False
2831+ $policySettings = New-AzApplicationGatewayFirewallPolicySetting - Mode Prevention - State Enabled - MaxFileUploadInMb 70 - MaxRequestBodySizeInKb 70
2832+ $managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet - RuleSetType " OWASP" - RuleSetVersion " 3.2"
2833+ $managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule - ManagedRuleSet $managedRuleSet
2834+ New-AzApplicationGatewayFirewallPolicy - Name $wafPolicyName - ResourceGroupName $rgname - Location $location - ManagedRule $managedRule - PolicySetting $policySettings
2835+
2836+ $policy = Get-AzApplicationGatewayFirewallPolicy - Name $wafPolicyName - ResourceGroupName $rgname
2837+
2838+ # Check firewall policy
2839+ Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
2840+ Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
2841+ Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
2842+ Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
2843+ Assert-AreEqual $policy.PolicySettings.State $policySettings.State
2844+
2845+ # Add Per Rule Exclusions to the firewall policy
2846+ $ruleEntry1 = New-AzApplicationGatewayFirewallPolicyExclusionManagedRule - RuleId 942100
2847+ $ruleEntry2 = New-AzApplicationGatewayFirewallPolicyExclusionManagedRule - RuleId 942110
2848+ $sqlRuleGroupEntry = New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleGroup - Name REQUEST-942 - APPLICATION- ATTACK- SQLI - Rule $ruleEntry1 , $ruleEntry2
2849+
2850+ $ruleEntry3 = New-AzApplicationGatewayFirewallPolicyExclusionManagedRule - RuleId 941100
2851+ $xssRuleGroupEntry = New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleGroup - Name REQUEST-941 - APPLICATION- ATTACK- XSS - Rule $ruleEntry3
2852+
2853+ $exclusionRuleSetEntry = New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleSet - Type " OWASP" - Version " 3.2" - RuleGroup $sqlRuleGroupEntry , $xssRuleGroupEntry
2854+
2855+ $exclusionEntry = New-AzApplicationGatewayFirewallPolicyExclusion - MatchVariable RequestArgNames - SelectorMatchOperator Contains - Selector Bingo - ExclusionManagedRuleSet $exclusionRuleSetEntry
2856+
2857+ $managedRules = New-AzApplicationGatewayFirewallPolicyManagedRule - ManagedRuleSet $managedRuleSet - Exclusion $exclusionEntry
2858+ $policy = Get-AzApplicationGatewayFirewallPolicy - Name $wafPolicyName - ResourceGroupName $rgname
2859+ $policySettings = New-AzApplicationGatewayFirewallPolicySetting - Mode Prevention - State Enabled - MaxFileUploadInMb 750 - MaxRequestBodySizeInKb 128
2860+ $policy.managedRules = $managedRules
2861+ $policy.PolicySettings = $policySettings
2862+ Set-AzApplicationGatewayFirewallPolicy - InputObject $policy
2863+
2864+ # Second check firewall policy
2865+ $policy = Get-AzApplicationGatewayFirewallPolicy - Name $wafPolicyName - ResourceGroupName $rgname
2866+ Assert-AreEqual $policy.ManagedRules.ManagedRuleSets.Count 1
2867+ Assert-AreEqual $policy.ManagedRules.Exclusions.Count 1
2868+ Assert-AreEqual $policy.ManagedRules.Exclusions [0 ].ExclusionManagedRuleSets.Count 1
2869+ Assert-AreEqual $policy.ManagedRules.Exclusions [0 ].ExclusionManagedRuleSets[0 ].RuleGroups.Count 2
2870+ Assert-AreEqual $policy.ManagedRules.Exclusions [0 ].ExclusionManagedRuleSets[0 ].RuleGroups[0 ].Rules.Count 2
2871+ Assert-AreEqual $policy.ManagedRules.Exclusions [0 ].ExclusionManagedRuleSets[0 ].RuleGroups[1 ].Rules.Count 1
2872+ Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
2873+ Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
2874+ Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
2875+ Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
2876+ Assert-AreEqual $policy.PolicySettings.State $policySettings.State
2877+ }
2878+ finally
2879+ {
2880+ # Cleanup
2881+ Clean - ResourceGroup $rgname
2882+ }
2883+ }
2884+
27202885<#
27212886. SYNOPSIS
27222887This case tests the per-listener HostNames feature.
0 commit comments