Changing the Default Rule Set to DRS2.1 in Firewall Policy (#23760)

Shawnli222 · htippanaboya · commit 069e8b8c2923 · 2024-01-22T15:08:28.000-05:00
* edit ruleset

* edit test

* add changelog
diff --git a/src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.cs b/src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.cs
@@ -221,6 +221,14 @@ public void TestApplicationGatewayFirewallPolicyManagedRuleGroupOverrideEmptyRul
             TestRunner.RunTestScript(string.Format("Test-ApplicationGatewayFirewallPolicyManagedRuleGroupOverrideEmptyRule -baseDir '{0}'", AppDomain.CurrentDomain.BaseDirectory));
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]
+        public void TestApplicationGatewayFirewallPolicyDefaultRuleSet()
+        {
+            TestRunner.RunTestScript(string.Format("Test-ApplicationGatewayFirewallPolicyDefaultRuleSet -baseDir '{0}'", AppDomain.CurrentDomain.BaseDirectory));
+        }
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         [Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]
diff --git a/src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1 b/src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1
@@ -3875,6 +3875,63 @@ function Test-ApplicationGatewayFirewallPolicyManagedRuleGroupOverrideEmptyRule
 	}
 }
 
+<#
+.SYNOPSIS
+Application gateway v2 waf policy default managed rule set
+#>
+function Test-ApplicationGatewayFirewallPolicyDefaultRuleSet
+
+{
+	# Setup
+	$location = Get-ProviderLocation "Microsoft.Network/applicationGateways" "West US 2"
+
+	$rgname = Get-ResourceGroupName
+	$wafPolicy = Get-ResourceName
+
+	try
+	{
+		$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "APPGw tag"}
+
+		# WAF Policy and Custom Rule
+		$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestHeaders -Selector Content-Length
+		$condition =  New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator GreaterThan -MatchValue 1000 -Transform Lowercase -NegationCondition $False
+		$rule = New-AzApplicationGatewayFirewallCustomRule -Name example -Priority 2 -RuleType MatchRule -MatchCondition $condition -Action Block
+		$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -MaxFileUploadInMb 70 -MaxRequestBodySizeInKb 70
+		New-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname -Location $location -PolicySetting $policySettings
+
+		$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname
+		$policy.CustomRules = $rule
+		Set-AzApplicationGatewayFirewallPolicy -InputObject $policy
+
+		$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname
+
+		# Second check firewll policy
+		Assert-AreEqual $policy.CustomRules[0].Name $rule.Name
+		Assert-AreEqual $policy.CustomRules[0].RuleType $rule.RuleType
+		Assert-AreEqual $policy.CustomRules[0].Action $rule.Action
+		Assert-AreEqual $policy.CustomRules[0].Priority $rule.Priority
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].OperatorProperty $rule.MatchConditions[0].OperatorProperty
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].Transforms[0] $rule.MatchConditions[0].Transforms[0]
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].NegationConditon $rule.MatchConditions[0].NegationConditon
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchValues[0] $rule.MatchConditions[0].MatchValues[0]
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchVariables[0].VariableName $rule.MatchConditions[0].MatchVariables[0].VariableName
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchVariables[0].Selector $rule.MatchConditions[0].MatchVariables[0].Selector
+		Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
+		Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
+		Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
+		Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
+		Assert-AreEqual $policy.PolicySettings.State $policySettings.State
+		Assert-AreEqual $policy.ManagedRules.ManagedRuleSets.RuleSetType "Microsoft_DefaultRuleSet"
+		Assert-AreEqual $policy.ManagedRules.ManagedRuleSets.RuleSetVersion "2.1"
+
+	}
+	finally
+	{
+		# Cleanup
+		Clean-ResourceGroup $rgname
+	}
+}
+
 
 <#
 .SYNOPSIS
diff --git a/src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.ApplicationGatewayTests/TestApplicationGatewayFirewallPolicyDefaultRuleSet.json b/src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.ApplicationGatewayTests/TestApplicationGatewayFirewallPolicyDefaultRuleSet.json
diff --git a/src/Network/Network/ChangeLog.md b/src/Network/Network/ChangeLog.md
@@ -19,6 +19,15 @@
 --->
 
 ## Upcoming Release
+* Fixed a few minor issues
+* Updated `New-AzApplicationGateway` to include `EnableRequestBuffering` and `EnableResponseBuffering` parameters
+* Changed the Default Rule Set from CRS3.0 to DRS2.1 in `NewAzureApplicationGatewayFirewallPolicy`
+* Added optional property 'Profile' to `New-AzFirewallPolicyIntrusionDetection` 
+* Added new cmdlet to update Connection child resource of Network Virtual Appliance. - `Update-AzNetworkVirtualApplianceConnection`
+* Added support of `InternetIngressIp` Property in New-AzNetworkVirtualAppliance
+* Added the new cmdlet for supporting `InternetIngressIp` Property with Network Virtual Appliances -`New-AzVirtualApplianceInternetIngressIpsProperty`
+* Added a new AuxiliaryMode value `AuxiliaryMode.Floating`
+* Added support for AzureFirewallPacketCapture
 
 ## Version 7.3.0
 * Fixed a few minor issues
diff --git a/src/Network/Network/FirewallPolicy/ManagedRules/AzureApplicationGatewayFirewallPolicyManagedRules.cs b/src/Network/Network/FirewallPolicy/ManagedRules/AzureApplicationGatewayFirewallPolicyManagedRules.cs
@@ -52,7 +52,7 @@ protected PSApplicationGatewayFirewallPolicyManagedRules NewObject()
                 {
                     new PSApplicationGatewayFirewallPolicyManagedRuleSet()
                     {
-                        RuleSetType = "DRS",
+                        RuleSetType = "Microsoft_DefaultRuleSet",
                         RuleSetVersion = "2.1"
                     }
                 };
diff --git a/src/Network/Network/FirewallPolicy/NewAzureApplicationGatewayFirewallPolicyCommand.cs b/src/Network/Network/FirewallPolicy/NewAzureApplicationGatewayFirewallPolicyCommand.cs
@@ -123,7 +123,7 @@ private PSApplicationGatewayWebApplicationFirewallPolicy CreateApplicationGatewa
                     {
                         new PSApplicationGatewayFirewallPolicyManagedRuleSet()
                         {
-                            RuleSetType = "DRS",
+                            RuleSetType = "Microsoft_DefaultRuleSet",
                             RuleSetVersion = "2.1"
                         }
                     }

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ protected PSApplicationGatewayFirewallPolicyManagedRules NewObject()`
`52`	`52`	`{`
`53`	`53`	`new PSApplicationGatewayFirewallPolicyManagedRuleSet()`
`54`	`54`	`{`
`55`		`- RuleSetType = "DRS",`
	`55`	`+ RuleSetType = "Microsoft_DefaultRuleSet",`
`56`	`56`	`RuleSetVersion = "2.1"`
`57`	`57`	`}`
`58`	`58`	`};`
Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,7 @@ private PSApplicationGatewayWebApplicationFirewallPolicy CreateApplicationGatewa`
`123`	`123`	`{`
`124`	`124`	`new PSApplicationGatewayFirewallPolicyManagedRuleSet()`
`125`	`125`	`{`
`126`		`- RuleSetType = "DRS",`
	`126`	`+ RuleSetType = "Microsoft_DefaultRuleSet",`
`127`	`127`	`RuleSetVersion = "2.1"`
`128`	`128`	`}`
`129`	`129`	`}`