diff --git a/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/examples/WafListAllPolicies.json b/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/examples/WafListAllPolicies.json index 09078e6451fe..301263716723 100644 --- a/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/examples/WafListAllPolicies.json +++ b/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/examples/WafListAllPolicies.json @@ -20,8 +20,11 @@ "resourceState": "Enabled", "provisioningState": "Succeeded", "policySettings": { - "enabledState": "Enabled", - "mode": "Prevention" + "state": "Enabled", + "mode": "Prevention", + "maxRequestBodySizeInKb": 128, + "fileUploadLimitInMb": 750, + "requestBodyCheck" : true }, "customRules": [ { @@ -81,7 +84,15 @@ ], "action": "Block" } - ] + ], + "managedRules" :{ + "managedRuleSets": [ + { + "ruleSetType" : "OWASP", + "ruleSetVersion" : "3.0" + } + ] + } } } ] diff --git a/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/examples/WafListPolicies.json b/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/examples/WafListPolicies.json index 014aad5ae9e7..3c9d509b843e 100644 --- a/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/examples/WafListPolicies.json +++ b/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/examples/WafListPolicies.json @@ -21,8 +21,19 @@ "resourceState": "Enabled", "provisioningState": "Succeeded", "policySettings": { - "enabledState": "Enabled", - "mode": "Prevention" + "state": "Enabled", + "mode": "Detection", + "maxRequestBodySizeInKb": 128, + "fileUploadLimitInMb": 750, + "requestBodyCheck" : true + }, + "managedRules": { + "managedRuleSets": [ + { + "ruleSetType" : "OWASP", + "ruleSetVersion" : "3.0" + } + ] }, "customRules": [ { diff --git a/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/examples/WafPolicyCreateOrUpdate.json b/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/examples/WafPolicyCreateOrUpdate.json index b4af29bf2264..0befc02fffde 100644 --- a/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/examples/WafPolicyCreateOrUpdate.json +++ b/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/examples/WafPolicyCreateOrUpdate.json @@ -7,6 +7,14 @@ "parameters": { "location": "WestUs", "properties": { + "managedRules" : { + "managedRuleSets" : [ + { + "ruleSetType" : "OWASP", + "ruleSetVersion" : "3.0" + } + ] + }, "customRules": [ { "name": "Rule1", @@ -80,8 +88,19 @@ "resourceState": "Enabled", "provisioningState": "Succeeded", "policySettings": { - "enabledState": "Enabled", - "mode": "Prevention" + "state": "Enabled", + "mode": "Detection", + "maxRequestBodySizeInKb": 128, + "fileUploadLimitInMb": 750, + "requestBodyCheck" : true + }, + "managedRules" : { + "managedRuleSets" : [ + { + "ruleSetType" : "OWASP", + "ruleSetVersion" : "3.0" + } + ] }, "customRules": [ { @@ -159,8 +178,19 @@ "resourceState": "Enabled", "provisioningState": "Succeeded", "policySettings": { - "enabledState": "Enabled", - "mode": "Prevention" + "state": "Enabled", + "mode": "Detection", + "maxRequestBodySizeInKb": 128, + "fileUploadLimitInMb": 750, + "requestBodyCheck" : true + }, + "managedRules" : { + "managedRuleSets" : [ + { + "ruleSetType" : "OWASP", + "ruleSetVersion" : "3.0" + } + ] }, "customRules": [ { diff --git a/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/examples/WafPolicyGet.json b/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/examples/WafPolicyGet.json index dbc3b52cf981..a04dad5477be 100644 --- a/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/examples/WafPolicyGet.json +++ b/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/examples/WafPolicyGet.json @@ -20,8 +20,11 @@ "resourceState": "Enabled", "provisioningState": "Succeeded", "policySettings": { - "enabledState": "Enabled", - "mode": "Prevention" + "state": "Enabled", + "mode": "Prevention", + "maxRequestBodySizeInKb": 128, + "fileUploadLimitInMb": 750, + "requestBodyCheck" : true }, "customRules": [ { @@ -81,7 +84,55 @@ ], "action": "Block" } - ] + ], + "managedRules": { + "managedRuleSets" : [ + { + "ruleSetType" : "OWASP", + "ruleSetVersion" : "3.0", + "ruleGroupOverrides" : [ + { + "ruleGroupName" : "REQUEST-942-APPLICATION-ATTACK-SQLI", + "rules" : [ + { + "ruleId" : "942130", + "state" : "Disabled" + }, + { + "ruleId" : "942110", + "state" : "Disabled" + } + ] + }, + { + "ruleGroupName" : "REQUEST-920-PROTOCOL-ENFORCEMENT", + "rules" : [ + { + "ruleId" : "920100", + "state" : "Disabled" + }, + { + "ruleId" : "920120", + "state" : "Disabled" + } + ] + } + ] + } + ], + "exclusions": [ + { + "matchVariable" : "RequestHeaderNames", + "selectorMatchOperator" : "Equals", + "selector" : "testHeader1" + }, + { + "matchVariable" : "RequestHeaderNames", + "selectorMatchOperator" : "StartsWith", + "selector" : "testHeader2" + } + ] + } } } } diff --git a/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/webapplicationfirewall.json b/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/webapplicationfirewall.json index b21266730369..9e1156d9f5bd 100644 --- a/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/webapplicationfirewall.json +++ b/specification/network/resource-manager/Microsoft.Network/stable/2019-08-01/webapplicationfirewall.json @@ -79,19 +79,19 @@ "tags": [ "WebApplicationFirewallPolicies" ], + "description": "Gets all the WAF policies in a subscription.", "operationId": "WebApplicationFirewallPolicies_ListAll", "x-ms-examples": { "Lists all WAF policies in a subscription": { "$ref": "./examples/WafListAllPolicies.json" } }, - "description": "Gets all the WAF policies in a subscription.", "parameters": [ { - "$ref": "./network.json#/parameters/ApiVersionParameter" + "$ref": "./network.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "./network.json#/parameters/SubscriptionIdParameter" + "$ref": "./network.json#/parameters/ApiVersionParameter" } ], "responses": { @@ -191,7 +191,7 @@ } }, { - "$ref": "network.json#/parameters/ApiVersionParameter" + "$ref": "./network.json#/parameters/ApiVersionParameter" } ], "responses": { @@ -283,6 +283,9 @@ }, "WebApplicationFirewallPolicyPropertiesFormat": { "description": "Defines web application firewall policy properties.", + "required": [ + "managedRules" + ], "properties": { "policySettings": { "description": "Describes policySettings for policy.", @@ -295,6 +298,10 @@ "$ref": "#/definitions/WebApplicationFirewallCustomRule" } }, + "managedRules": { + "description": "Describes the managedRules structure", + "$ref": "#/definitions/ManagedRulesDefinition" + }, "applicationGateways": { "readOnly": true, "type": "array", @@ -346,10 +353,32 @@ } } }, + "ManagedRulesDefinition": { + "description": "Allow to exclude some variable satisfy the condition for the WAF check.", + "required": [ + "managedRuleSets" + ], + "properties": { + "exclusions": { + "type": "array", + "items": { + "$ref": "#/definitions/OwaspCrsExclusionEntry" + }, + "description": "Describes the Exclusions that are applied on the policy." + }, + "managedRuleSets": { + "type" : "array", + "items": { + "$ref": "#/definitions/ManagedRuleSet" + }, + "description": "Describes the ruleSets that are associated with the policy." + } + } + }, "PolicySettings": { "description": "Defines contents of a web application firewall global configuration.", "properties": { - "enabledState": { + "state": { "description": "Describes if the policy is in enabled state or disabled state.", "type": "string", "enum": [ @@ -372,6 +401,26 @@ "name": "WebApplicationFirewallMode", "modelAsString": true } + }, + "requestBodyCheck": { + "type": "boolean", + "description": "Whether to allow WAF to check request Body." + }, + "maxRequestBodySizeInKb": { + "type": "integer", + "format": "int32", + "maximum": 128, + "exclusiveMaximum": false, + "minimum": 8, + "exclusiveMinimum": false, + "description": "Maximum request body size in Kb for WAF." + }, + "fileUploadLimitInMb": { + "type": "integer", + "format": "int32", + "minimum": 0, + "exclusiveMinimum": false, + "description": "Maximum file upload size in Mb for WAF." } } }, @@ -532,6 +581,115 @@ } } } + }, + "ManagedRuleSet": { + "type": "object", + "description": "Defines a managed rule set.", + "required": [ + "ruleSetType", + "ruleSetVersion" + ], + "properties": { + "ruleSetType": { + "description": "Defines the rule set type to use.", + "type": "string" + }, + "ruleSetVersion": { + "description": "Defines the version of the rule set to use.", + "type": "string" + }, + "ruleGroupOverrides": { + "description": "Defines the rule group overrides to apply to the rule set.", + "type": "array", + "items": { + "$ref": "#/definitions/ManagedRuleGroupOverride" + } + } + } + }, + "ManagedRuleGroupOverride": { + "description": "Defines a managed rule group override setting.", + "required": [ + "ruleGroupName" + ], + "properties": { + "ruleGroupName": { + "description": "Describes the managed rule group to override.", + "type": "string" + }, + "rules": { + "description": "List of rules that will be disabled. If none specified, all rules in the group will be disabled.", + "type": "array", + "items": { + "$ref": "#/definitions/ManagedRuleOverride" + } + } + } + }, + "ManagedRuleOverride": { + "description": "Defines a managed rule group override setting.", + "required": [ + "ruleId" + ], + "properties": { + "ruleId": { + "description": "Identifier for the managed rule.", + "type": "string" + }, + "state": { + "description": "Describes the state of the managed rule. Defaults to Disabled if not specified.", + "type": "string", + "enum": [ + "Disabled" + ], + "x-ms-enum": { + "name": "ManagedRuleEnabledState", + "modelAsString": true + } + } + } + }, + "OwaspCrsExclusionEntry": { + "required": [ + "matchVariable", + "selectorMatchOperator", + "selector" + ], + "description": "Allow to exclude some variable satisfy the condition for the WAF check.", + "properties": { + "matchVariable": { + "type": "string", + "enum": [ + "RequestHeaderNames", + "RequestCookieNames", + "RequestArgNames" + ], + "description": "The variable to be excluded.", + "x-ms-enum": { + "name": "OwaspCrsExclusionEntryMatchVariable", + "modelAsString": true + } + }, + "selectorMatchOperator": { + "type": "string", + "enum": [ + "Equals", + "Contains", + "StartsWith", + "EndsWith", + "EqualsAny" + ], + "description": "When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to.", + "x-ms-enum": { + "name": "OwaspCrsExclusionEntrySelectorMatchOperator", + "modelAsString": true + } + }, + "selector": { + "type": "string", + "description": "When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to." + } + } } } }