Changing the Default Rule Set to DRS2.1 in Firewall Policy (#23760)

* edit ruleset

* edit test

* add changelog

Author: Shawnli222

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.cs

@@ -221,6 +221,14 @@ public void TestApplicationGatewayFirewallPolicyManagedRuleGroupOverrideEmptyRul
             TestRunner.RunTestScript(string.Format("Test-ApplicationGatewayFirewallPolicyManagedRuleGroupOverrideEmptyRule -baseDir '{0}'", AppDomain.CurrentDomain.BaseDirectory));
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]
+        public void TestApplicationGatewayFirewallPolicyDefaultRuleSet()
+        {
+            TestRunner.RunTestScript(string.Format("Test-ApplicationGatewayFirewallPolicyDefaultRuleSet -baseDir '{0}'", AppDomain.CurrentDomain.BaseDirectory));
+        }
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         [Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1

@@ -3875,6 +3875,63 @@ function Test-ApplicationGatewayFirewallPolicyManagedRuleGroupOverrideEmptyRule
 	}
 }
 
+<#
+.SYNOPSIS
+Application gateway v2 waf policy default managed rule set
+#>
+function Test-ApplicationGatewayFirewallPolicyDefaultRuleSet
+
+{
+	# Setup
+	$location = Get-ProviderLocation "Microsoft.Network/applicationGateways" "West US 2"
+
+	$rgname = Get-ResourceGroupName
+	$wafPolicy = Get-ResourceName
+
+	try
+	{
+		$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "APPGw tag"}
+
+		# WAF Policy and Custom Rule
+		$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestHeaders -Selector Content-Length
+		$condition =  New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator GreaterThan -MatchValue 1000 -Transform Lowercase -NegationCondition $False
+		$rule = New-AzApplicationGatewayFirewallCustomRule -Name example -Priority 2 -RuleType MatchRule -MatchCondition $condition -Action Block
+		$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -MaxFileUploadInMb 70 -MaxRequestBodySizeInKb 70
+		New-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname -Location $location -PolicySetting $policySettings
+
+		$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname
+		$policy.CustomRules = $rule
+		Set-AzApplicationGatewayFirewallPolicy -InputObject $policy
+
+		$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname
+
+		# Second check firewll policy
+		Assert-AreEqual $policy.CustomRules[0].Name $rule.Name
+		Assert-AreEqual $policy.CustomRules[0].RuleType $rule.RuleType
+		Assert-AreEqual $policy.CustomRules[0].Action $rule.Action
+		Assert-AreEqual $policy.CustomRules[0].Priority $rule.Priority
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].OperatorProperty $rule.MatchConditions[0].OperatorProperty
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].Transforms[0] $rule.MatchConditions[0].Transforms[0]
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].NegationConditon $rule.MatchConditions[0].NegationConditon
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchValues[0] $rule.MatchConditions[0].MatchValues[0]
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchVariables[0].VariableName $rule.MatchConditions[0].MatchVariables[0].VariableName
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchVariables[0].Selector $rule.MatchConditions[0].MatchVariables[0].Selector
+		Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
+		Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
+		Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
+		Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
+		Assert-AreEqual $policy.PolicySettings.State $policySettings.State
+		Assert-AreEqual $policy.ManagedRules.ManagedRuleSets.RuleSetType "Microsoft_DefaultRuleSet"
+		Assert-AreEqual $policy.ManagedRules.ManagedRuleSets.RuleSetVersion "2.1"
+
+	}
+	finally
+	{
+		# Cleanup
+		Clean-ResourceGroup $rgname
+	}
+}
+
 
 <#
 .SYNOPSIS

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.ApplicationGatewayTests/TestApplicationGatewayFirewallPolicyDefaultRuleSet.json

@@ -20,6 +20,7 @@
 
 ## Upcoming Release
 * Fixed a few minor issues
+* Changed the Default Rule Set from CRS3.0 to DRS2.1 in `NewAzureApplicationGatewayFirewallPolicy`
 
 ## Version 7.1.0
 * Added DefaultOutboundAccess parameter on subnet creation

src/Network/Network/ChangeLog.md

@@ -52,7 +52,7 @@ protected PSApplicationGatewayFirewallPolicyManagedRules NewObject()
                 {
                     new PSApplicationGatewayFirewallPolicyManagedRuleSet()
                     {
-                        RuleSetType = "DRS",
+                        RuleSetType = "Microsoft_DefaultRuleSet",
                         RuleSetVersion = "2.1"
                     }
                 };

src/Network/Network/FirewallPolicy/ManagedRules/AzureApplicationGatewayFirewallPolicyManagedRules.cs

@@ -123,7 +123,7 @@ private PSApplicationGatewayWebApplicationFirewallPolicy CreateApplicationGatewa
                     {
                         new PSApplicationGatewayFirewallPolicyManagedRuleSet()
                         {
-                            RuleSetType = "DRS",
+                            RuleSetType = "Microsoft_DefaultRuleSet",
                             RuleSetVersion = "2.1"
                         }
                     }