Skip to content

az network front-door waf-policy rule create | Create custom rule in WAF is not working #8587

New issue
New issue
Open
Open
az network front-door waf-policy rule create | Create custom rule in WAF is not working#8587
Assignees
necusjz
Labels
Auto-AssignAuto assign by botNetworkService AttentionThis issue is responsible by Azure service team.customer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog
@fabsimilian

Description

@fabsimilian
fabsimilian
opened on Mar 21, 2025

Describe the bug

I've the latest version of azure cli (2.70.0)

I'm trying to add a custom rule into our waf policy (premium frontdoor) but the command is not working.
Docs say that action, name, policy-name, priority, rg, rule-type are required.

If I fire the command

az network front-door waf-policy rule create --policy-name <policy_name> --resource-group <resource_group> --name TestRule --priority 5 --rule-type MatchRule --action Allow

I get the following error:

(BadRequest) WebApplicationFirewallPolicy validation failed. More information "Rule TestRule must have properties set with rule type, match condition, action, and priority set.".
Code: BadRequest
Message: WebApplicationFirewallPolicy validation failed. More information "Rule TestRule must have properties set with rule type, match condition, action, and priority set.".

but there is no match condition property and all other are set.

Related command

az network front-door waf-policy rule create

Errors

(BadRequest) WebApplicationFirewallPolicy validation failed. More information "Rule TestRule must have properties set with rule type, match condition, action, and priority set.".
Code: BadRequest
Message: WebApplicationFirewallPolicy validation failed. More information "Rule TestRule must have properties set with rule type, match condition, action, and priority set.".

Issue script & Debug output

cli.knack.cli: Command arguments: ['network', 'front-door', 'waf-policy', 'rule', 'create', '--policy-name', '<waf_name>', '--resource-group', '<rg>', '--name', 'TestRule', '--priority', '5', '--rule-type', 'MatchRule', '--action', 'Allow', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x10522f240>, <function OutputProducer.on_global_arguments at 0x105ae6520>, <function CLIQuery.on_global_arguments at 0x105b1fce0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'network': ['azure.cli.command_modules.network', 'azure.cli.command_modules.privatedns', 'azext_front_door']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: network                   0.448       118       362
cli.azure.cli.core: privatedns                0.011        14        60
cli.azure.cli.core: Total (2)                 0.458       132       422
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
cli.azure.cli.core: front-door                0.028        19        77  /Users/<user>/.azure/cliextensions/front-door
cli.azure.cli.core: Total (1)                 0.028        19        77  
cli.azure.cli.core: Loaded 149 groups, 499 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : network front-door waf-policy rule create
cli.azure.cli.core: Command table: network front-door waf-policy rule create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x1068f62a0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/Users/<user>/.azure/commands/2025-03-21.14-03-55.network_front-door_waf-policy_rule_create.45437.log'.
az_command_data_logger: command args: network front-door waf-policy rule create --policy-name {} --resource-group {} --name {} --priority {} --rule-type {} --action {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x10692f9c0>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x106969d00>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x106969e40>, <function register_upcoming_breaking_change_info.<locals>.update_breaking_change_info at 0x106969ee0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x105ae65c0>, <function CLIQuery.handle_query_parameter at 0x105b1fd80>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x106969da0>]
az_command_data_logger: extension name: front-door
az_command_data_logger: extension version: 1.2.0
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=FrontDoorManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='/Users/<user>/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /Users/<user>/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/<tenant_id>
msal.authority: openid_config("https://login.microsoftonline.com/<tenant_id>/v2.0/.well-known/openid-configuration") = ...
msal.application: Broker enabled? None
cli.azure.cli.core.commands: WebApplicationFirewallPolicy '<waf_name>' not found in cache. Retrieving from Azure...
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_credentials: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 7599850f-74d6-4c9f-bec8-72c719042932
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/<subscription_id>/resourceGroups/<rg>/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/<waf_name>?api-version=2024-02-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '<request_id>'
cli.azure.cli.core.sdk.policies:     'CommandName': 'network front-door waf-policy rule create'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--policy-name --resource-group --name --priority --rule-type --action --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.70.0 (HOMEBREW) azsdk-python-core/1.31.0 Python/3.12.9 (macOS-15.1-arm64-arm-64bit)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/<subscription_id>/resourceGroups/<rg>/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/<waf_name>?api-version=2024-02-01 HTTP/1.1" 200 3602
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '3602'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '...'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '<request_id>'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-reads': '249'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-global-reads': '3749'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': 'c1904db7-9576-4019-8a84-5ac98611b21b'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': '...
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies:     'X-MSEdge-Ref': 'Ref A: <> Ref B: <> Ref C: 2025-03-21T13:03:55Z'
cli.azure.cli.core.sdk.policies:     'Date': 'Fri, 21 Mar 2025 13:03:55 GMT'
cli.azure.cli.core.sdk.policies: Response content: ...
cli.azure.cli.core.sdk.policies: cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/<subscription_id>/resourceGroups/<rg>/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/<waf_name>?api-version=2024-02-01'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Content-Length': '3094'
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '<request_id>'
cli.azure.cli.core.sdk.policies:     'CommandName': 'network front-door waf-policy rule create'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--policy-name --resource-group --name --priority --rule-type --action --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.70.0 (HOMEBREW) azsdk-python-core/1.31.0 Python/3.12.9 (macOS-15.1-arm64-arm-64bit)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"location": "Global", "tags": {}, "sku": {"name": "Premium_AzureFrontDoor"}, "properties": {"policySettings": {"enabledState": "Enabled", "mode": "Detection", "requestBodyCheck": "Enabled", "javascriptChallengeExpirationInMinutes": 30}, "customRules": {"rules": .... }
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/<subscription_id>/resourceGroups/<rg>/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/<waf_name>?api-version=2024-02-01 HTTP/1.1" 400 231
cli.azure.cli.core.sdk.policies: Response status: 400
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '231'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'x-ms-operation-identifier': 'tenantId=<tenant_id>,objectId=<object_id>/germanywestcentral/<id>'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '9e1e5cdb-d2c3-42ee-8c36-0deeebe820c2'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '<request_id>'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-writes': '199'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-global-writes': '2999'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': '<cor_request_id>'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'GERMANYWESTCENTRAL:20250321T130357Z:<cor_request_id>'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies:     'X-MSEdge-Ref': 'Ref A: <> Ref B: <> Ref C: 2025-03-21T13:03:55Z'
cli.azure.cli.core.sdk.policies:     'Date': 'Fri, 21 Mar 2025 13:03:56 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {
  "error": {
    "code": "BadRequest",
    "message": "WebApplicationFirewallPolicy validation failed. More information \"Rule TestRule must have properties set with rule type, match condition, action, and priority set.\"."
  }
}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/opt/homebrew/Cellar/azure-cli/2.70.0/libexec/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.70.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 666, in execute
    raise ex
  File "/opt/homebrew/Cellar/azure-cli/2.70.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 734, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.70.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 703, in _run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.70.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 336, in __call__
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.70.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/command_operation.py", line 120, in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
  File "/Users/<user>/.azure/cliextensions/front-door/azext_front_door/custom.py", line 1154, in create_wp_custom_rule
    return cached_put(cmd, client.begin_create_or_update, policy, resource_group_name, policy_name).result()
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.70.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 459, in cached_put
    result = _put_operation()
             ^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.70.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 446, in _put_operation
    result = operation(*extended_args)
             ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.70.0/libexec/lib/python3.12/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/Users/<user>/.azure/cliextensions/front-door/azext_front_door/vendored_sdks/operations/_policies_operations.py", line 624, in begin_create_or_update
    raw_result = self._create_or_update_initial(
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/<user>/.azure/cliextensions/front-door/azext_front_door/vendored_sdks/operations/_policies_operations.py", line 519, in _create_or_update_initial
    raise HttpResponseError(response=response, model=error, error_format=ARMErrorFormat)
azure.core.exceptions.HttpResponseError: (BadRequest) WebApplicationFirewallPolicy validation failed. More information "Rule TestRule must have properties set with rule type, match condition, action, and priority set.".
Code: BadRequest
Message: WebApplicationFirewallPolicy validation failed. More information "Rule TestRule must have properties set with rule type, match condition, action, and priority set.".

cli.azure.cli.core.azclierror: (BadRequest) WebApplicationFirewallPolicy validation failed. More information "Rule TestRule must have properties set with rule type, match condition, action, and priority set.".
Code: BadRequest
Message: WebApplicationFirewallPolicy validation failed. More information "Rule TestRule must have properties set with rule type, match condition, action, and priority set.".
az_command_data_logger: (BadRequest) WebApplicationFirewallPolicy validation failed. More information "Rule TestRule must have properties set with rule type, match condition, action, and priority set.".
Code: BadRequest
Message: WebApplicationFirewallPolicy validation failed. More information "Rule TestRule must have properties set with rule type, match condition, action, and priority set.".
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x1068f6520>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 2.663 seconds (init: 0.121, invoke: 2.543)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4505 in cache file under /Users/<user>/.azure/telemetry/20250321140357296
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/homebrew/Cellar/azure-cli/2.70.0/libexec/bin/python /opt/homebrew/Cellar/azure-cli/2.70.0/libexec/lib/python3.12/site-packages/azure/cli/telemetry/__init__.py /Users/<user>/.azure /Users/<user>/.azure/telemetry/20250321140357296"
telemetry.process: Return from creating process 45445
telemetry.main: Finish creating telemetry upload process.

Expected behavior

The custom rule should be created

Environment Summary

azure-cli 2.70.0

core 2.70.0
telemetry 1.1.0

Extensions:
front-door 1.2.0

Dependencies:
msal 1.31.2b1
azure-mgmt-resource 23.1.1

Python location '/opt/homebrew/Cellar/azure-cli/2.70.0/libexec/bin/python'
Config directory '/Users//.azure'
Extensions directory '/Users//.azure/cliextensions'

Python (Darwin) 3.12.9 (main, Feb 4 2025, 14:38:38) [Clang 16.0.0 (clang-1600.0.26.6)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

Metadata

Metadata

Assignees

Labels

Auto-AssignAuto assign by botNetworkService AttentionThis issue is responsible by Azure service team.customer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions