Exam AZ-700 topic 4 question 9 discussion

Correct ! Say your application gateway has a global policy applied to it. Then you apply a different policy to a listener on that application gateway. The listener's policy now takes effect for just that listener. The application gateway’s global policy still applies to all other listeners and path-based rules that don't have a specific policy assigned to them. https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview#per-site-waf-policy

Priority [required] Determines the rule valuation order. The lower the value, the earlier the evaluation of the rule. The allowable range is from 1-100. Must be unique across all custom rules. A rule with priority 40 is evaluated before a rule with priority 80.Priority [required] Determines the rule valuation order. The lower the value, the earlier the evaluation of the rule. The allowable range is from 1-100. Must be unique across all custom rules. A rule with priority 40 is evaluated before a rule with priority 80. So the priority 50 is a Deny, and will not the Connection to listen2 be allowed. I still go for YES, NO, NO.

Contoso.com - Y - this policy overrides deny for AppGW1. By default traffic is allowed so even if it is set to Detection only it changes nothing and still does not block the traffic Fabrikam.com - Y - again this policy overrides deny for AppGW1 and it is set to Prevention and allow Adatum.com - N - takes policy from AppGW1 so Prevention and deny

Y, N, N Policies configured for Listeners take precedence over global AG WAF policy. Priorities between different Policies do not have affect, but count only within each separate policy. Traffic is allowed in detection mode (question 1), and denied by the policies for 2 other questions.

Its a YYN According to the official guidance, when both global and per-site (listener-specific) WAF policies are configured, the per-site policy takes precedence for its associated listener. This means that the global policy applies only to listeners that do not have a specific per-site policy assigned. https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/per-site-policies

What is the difference between "Detection" and "Prevention"? And What is the effect of "Detection - Allow" and "Detection - Deny", how it differs from "Prevention - Allow" and "Prevention - Deny"?

YES NO NO

Say your application gateway has a global policy applied to it. Then you apply a different policy to a listener on that application gateway. The listener's policy now takes effect for just that listener. The application gateway’s global policy still applies to all other listeners and path-based rules that don't have a specific policy assigned to them. I got this from this web link https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview. So the answer should be YYN

Appeared on Exam November - 2023

The answer is YYN and here is why as per MS doco You can apply as many WAF policies as you like to both App gateway or/and listeners and/or path-based routing rule. • If you want to apply the same policy to all or some listeners than you apply it at the Global level in this case the Application Gateway • If you want to apply specific policy to certain website than apply to specific listener of that web site and the rest can be applied globally i.e. to application gateway • This is where you need to pay attention, the Global Policy i.e. policy applied to Application Gateway will only IMPACT /EFFECT the listeners that DO NOT have any specific policy applied to them BUT if a listener has policy applied to it, it will take affect and the Global one will NOT apply to this listener see next post

In exam Feb, 2023

the answer is correct yes, yes, no

Also, keep in mind the priorities. The lower the integer number in the "priority" field, the highest the priority to be processed. It's like setting up "metrics" in a network; the lower the integer the higher is the priority.

Answer is: YES, NO, NO. The priority of the policy orders matters. 1. The first one is analyzed by customed rule 1 which is set to allow traffic by default behavior of "Detection mode" . 2. The second goes through the Global Policy attached to the Application Gateway which is set to deny and then stops processing rules. 3. It's the same as 2. It goes through the global policy rule which is set to deny and then it stops processing policies. The policy 3 its never processed due the global policy that is set to deny.

The answer is correct. If your Application Gateway has an associated policy, and then you associated a different policy to a listener on that Application Gateway, the listener's policy will take effect, but just for the listener(s) that they're assigned to. The Application Gateway policy still applies to all other listeners that don't have a specific policy assigned to them. If you assign a policy to your Application Gateway (or listener) that already has a policy in place, the original policy is overwritten and replaced by the new policy.

For me YES NO NO

In exam 21-Jul-22.