Support Default Disabled Rules in AppGW WAF Manifest with computedDisabledRules Property

[yoavmal]

Preconditions

• No need to upgrade Python SDK or the Python SDK is ready.

Related command

There isn't a new command.
Existing commands are expected to return the additional read-only property computedDisabledRules specified in the description section below, and it should match the logic specified below, i.e. include user's disabled rules overrides + (default disabled rules from manifest - user's enabled rules overrides).

The most directly related command is:
az network application-gateway waf-policy managed-rule rule-set

managedRuleSet is a property of managedRules, which is a property of wafPolicy, therefore, there are more related commands, for example:
az network application-gateway waf-policy

Resource Provider

Microsoft.Network/applicationGateways

Description of Feature or Work Requested

Default Disabled Rules

The Default Disabled Rules feature allows certain rules in a managed rule group to be disabled by default. This is different from the previous behavior, where all rules were automatically enabled unless the user explicitly disabled them.

With this feature, rule authors (i.e., us - AppGW WAF team) can mark specific rules as disabled in the manifest. Users can then override this default disabled rules by explicitly enabling those rules in their WAF policy. The user's override always takes priority—if a user enables a rule that’s disabled by default, the rule becomes enabled.

As part of this feature, a new read-only property called computedDisabledRules was introduced. This property shows the final list of rules that are effectively disabled, based on:

• The default state of each rule in the managed ruleset.
• The user’s overrides, which can enable or disable specific rules.

This property makes it easier to understand which rules are effectively disabled.

Design Document:
https://microsoftapc-my.sharepoint.com/:w:/r/personal/neerajsingh_microsoft_com/_layouts/15/Doc.aspx?sourcedoc=%7B5449A54B-248C-41BD-8D4B-2EE3BB64E302%7D&file=Default%20disabled%20rules%20design%20document.docx&action=default&mobileredirect=true

Minimum API Version Required

2024-07-01

Swagger PR link / SDK link

Main - https://github.com/Azure/azure-rest-api-specs-pr/pull/19894
Minor - property naming fix - https://github.com/Azure/azure-rest-api-specs-pr/pull/20162

Request Example

https://github.com/Azure/azure-rest-api-specs-pr/blob/main/specification/network/resource-manager/Microsoft.Network/stable/2024-07-01/examples/ApplicationGatewayAvailableWafRuleSetsGet.json

https://github.com/Azure/azure-rest-api-specs-pr/blob/main/specification/network/resource-manager/Microsoft.Network/stable/2024-07-01/examples/WafListAllPolicies.json

https://github.com/Azure/azure-rest-api-specs-pr/blob/main/specification/network/resource-manager/Microsoft.Network/stable/2024-07-01/examples/WafListPolicies.json

https://github.com/Azure/azure-rest-api-specs-pr/blob/main/specification/network/resource-manager/Microsoft.Network/stable/2024-07-01/examples/WafPolicyGet.json

Target Date

2025-07-17

PM Contact

yuvalpery

Engineer Contact

yoavmalichi

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.