Do we need to migrate from OWASP 3.2 to DRS 2.x for Azure Application Gateway WAF?

Question

Do we need to migrate from OWASP 3.2 to DRS 2.x for Azure Application Gateway WAF?

Faisal Riaz 155

Hi ,

We are currently using Azure Application Gateway WAF with the following managed rulesets:

OWASP_3.2
Microsoft_BotManagerRuleSet_1.1

Recently, Azure Advisor started showing the recommendation:

"Upgrade to the latest DRS rule set in Application Gateway WAF"

I reviewed the remediation documentation, but most examples appear to be related to Azure Front Door WAF, not Application Gateway WAF.

I would like clarification on the following points specifically for Application Gateway WAF:

Is OWASP_3.2 still supported and recommended for Application Gateway WAF?
Is migration to Microsoft Default Rule Set (DRS 2.1 / 2.2) mandatory or only recommended?
Can the existing WAF Policy be updated in-place from OWASP_3.2 to DRS_2.x, or is a new WAF policy recommended?
Will existing exclusions, disabled rules, and custom rules continue to work after upgrading?
Are there known breaking changes or compatibility concerns when moving from OWASP_3.2 to DRS_2.x?
Is Microsoft planning any deprecation timeline for OWASP_3.2 on Application Gateway WAF?

Our concern is avoiding production impact because the current WAF policy is already tuned with exclusions and rule overrides.

Any guidance or best practices from Microsoft engineering would be appreciated.

Thanks.Hi Team,

We are currently using Azure Application Gateway WAF with the following managed rulesets:

OWASP_3.2
Microsoft_BotManagerRuleSet_1.1

Recently, Azure Advisor started showing the recommendation:

"Upgrade to the latest DRS rule set in Application Gateway WAF"

I reviewed the remediation documentation, but most examples appear to be related to Azure Front Door WAF, not Application Gateway WAF.

I would like clarification on the following points specifically for Application Gateway WAF:

Is OWASP_3.2 still supported and recommended for Application Gateway WAF?
Is migration to Microsoft Default Rule Set (DRS 2.1 / 2.2) mandatory or only recommended?
Can the existing WAF Policy be updated in-place from OWASP_3.2 to DRS_2.x, or is a new WAF policy recommended?
Will existing exclusions, disabled rules, and custom rules continue to work after upgrading?
Are there known breaking changes or compatibility concerns when moving from OWASP_3.2 to DRS_2.x?
Is Microsoft planning any deprecation timeline for OWASP_3.2 on Application Gateway WAF?

Our concern is avoiding production impact because the current WAF policy is already tuned with exclusions and rule overrides.

Any guidance or best practices from Microsoft engineering would be appreciated.

Thanks.

Faisal Riaz 155 Reputation points

2026-05-14T08:01:25.9966667+00:00

Hi,

Thank you for the detailed explanation. This is very helpful.

I have one follow-up clarification regarding preserving the existing configuration during the migration from OWASP_3.2 to Microsoft_DefaultRuleSet 2.x.

Our current Application Gateway WAF policy has:

OWASP_3.2

Microsoft_BotManagerRuleSet_1.1

Existing exclusions

Potential managed rule overrides / disabled rules

Custom rules

You mentioned that using PowerShell/CLI/ARM/Terraform should preserve rule overrides, exclusions, and custom rules, while using the Azure Portal may reset managed-rule overrides.

Could you please confirm the following:

What is the recommended CLI, PowerShell, or ARM method to update the existing WAF policy from OWASP_3.2 to Microsoft_DefaultRuleSet_2.2 while preserving existing exclusions, custom rules, and managed rule overrides?

Is there an official Microsoft example command or ARM/Bicep snippet for this in-place migration?

If some existing overrides are linked to OWASP-specific rule IDs, will Azure automatically map them to DRS 2.2 rules where possible, or do we need to manually review and recreate those overrides after the migration?

Is there a supported way to export the current WAF policy, update only the managed rule set type/version, and reapply it safely as a rollback-capable process?

For production, would Microsoft recommend switching the policy to Detection mode first, performing the ruleset migration, reviewing logs, and then switching back to Prevention?

We want to avoid using the Azure Portal if it resets managed-rule overrides, so we would like to follow the safest Microsoft-supported scripted approach.

Thanks.
Venkatesan S 8,485 Reputation points Microsoft External Staff Moderator

2026-05-14T08:28:31.2333333+00:00
Thanks for the follow-up on scripting the WAF policy migration—I'll keep this practical and focused on preserving your tuned OWASP 3.2 + Bot Manager setup while moving to DRS 2.2.

Export first for safety, then update just the ruleset versions via CLI. This keeps your exclusions, custom rules, and managed rule overrides intact—no portal needed.

Export Current Policy (Rollback Ready):

az network waf policy export --resource-group <rg-name> --name <waf-policy-name> --file backup-policy.json

Update to DRS 2.2 (Preserves Everything):

bash az network waf policy update \ --resource-group <rg-name> \ --name <waf-policy-name> \ --managed-rules '[ { 'ruleSetType': 'Microsoft_DefaultRuleSet', 'ruleSetVersion': '2.2' }, { 'ruleSetType': 'Microsoft_BotManagerRuleSet', 'ruleSetVersion': '1.1' } ]'

PowerShell alternative:

powershell $wafPolicy = Get-AzWebApplicationFirewallPolicy -ResourceGroupName <rg-name> -Name <waf-policy-name> $wafPolicy.ManagedRules.ManagedRuleSets[0].RuleSetType = 'Microsoft_DefaultRuleSet' $wafPolicy.ManagedRules.ManagedRuleSets[0].RuleSetVersion = '2.2' Set-AzWebApplicationFirewallPolicy -WebApplicationFirewallPolicy $wafPolicy

ARM/Bicep Snippet

Export to JSON, tweak only managedRuleSets, redeploy:

json { "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies", "properties": { "managedRules": { "managedRuleSets": [ { "ruleSetType": "Microsoft_DefaultRuleSet", "ruleSetVersion": "2.2" }, { "ruleSetType": "Microsoft_BotManagerRuleSet", "ruleSetVersion": "1.1" } ] } } }

az deployment group create --resource-group <rg> --template-file updated-policy.json

Rule ID Mapping & Overrides

No auto-mapping—OWASP IDs (e.g., 942100) won't match DRS rules, so they'll go inactive post-upgrade. Review your ruleOverrides array, map to DRS equivalents manually (use the rule group docs below), and test.

Rollback & Production Flow

Export/Reapply: az network waf policy create --file backup-policy.json --name rollback-policy.

Safe Prod Path: Detection mode → CLI update → Log Analytics review (AzureDiagnostics | where wafAction_s == "Blocked") → Prevention. Expect minor tuning for new Threat Intel rules.

Clone to staging first. This mirrors Microsoft's scripted guidance exactly.

Official Docs:

Upgrade WAF Ruleset Version

DRS 2.x Rule Groups

WAF Policy CLI Reference

Kindly let us know if the above helps or you need further assistance on this issue.

Please “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Faisal Riaz 155 Reputation points

2026-05-14T10:53:33.46+00:00

Hi,

Thank you, this is very helpful.

One final clarification please.

In the example provided, the CLI command uses:

az network waf policy update

However, for our Application Gateway WAF Policy, the Azure CLI command group available in our environment appears to be:

az network application-gateway waf-policy

For example, we can run:

az network application-gateway waf-policy show az network application-gateway waf-policy managed-rule rule-set list

Could you please confirm the exact supported Azure CLI command for Application Gateway WAF Policy to migrate from OWASP_3.2 to Microsoft_DefaultRuleSet_2.2?

Specifically, should we use:

az network application-gateway waf-policy managed-rule rule-set update --policy-name --resource-group --type Microsoft_DefaultRuleSet --version 2.2

Also, could you confirm whether this command preserves existing exclusions, custom rules, and managed rule overrides, or whether we should instead export the full policy JSON, modify only properties.managedRules.managedRuleSets, and redeploy it using ARM/Bicep?

We want to avoid accidentally clearing existing managed rule overrides during the migration.

Thanks.
Faisal Riaz 155 Reputation points

2026-05-18T09:15:41.9033333+00:00

Hi **
**I am still waiting for your reply on above comment please.

Thanks****
Sina Salam 29,846 Reputation points Volunteer Moderator

2026-05-18T12:13:42.8166667+00:00

Regarding your questions:

Is OWASP_3.2 still supported and recommended for Application Gateway WAF?

Supported: Yes. Recommended latest: No. Microsoft’s support policy lists CRS 3.2 as supported, but Microsoft recommends using the latest rule set where possible; for Application Gateway WAF, the latest recommended managed rule set is DRS 2.2. - https://learn.microsoft.com/en-us/azure/web-application-firewall/ruleset-support-policy, https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules

Is migration to DRS 2.1 / 2.2 mandatory or only recommended?

Recommended now, not immediately mandatory while CRS 3.2 remains within the supported window. However, it becomes operationally necessary before CRS 3.2 reaches end of support under Microsoft’s rolling support policy. CRS 3.2 support ends one year after the first DRS version newer than DRS 2.2 is released. - https://learn.microsoft.com/en-us/azure/web-application-firewall/ruleset-support-policy

Can the existing WAF policy be updated in-place, or is a new WAF policy recommended?

Technically, the existing policy can be updated in-place. For production, the safer path is to clone/export and test a separate WAF policy first, then associate it after validation. Microsoft’s upgrade guidance supports changing the managed rule set on an existing policy, but warns to preserve exclusions/overrides and validate new rules safely. - https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/upgrade-ruleset-version, https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules

Will existing exclusions, disabled rules, and custom rules continue to work after upgrading?

Custom rules and global policy settings remain separate from the managed rule set and generally continue. Managed rule overrides, disabled rules, and rule-level exclusions do not automatically remain valid when the rule set changes unless they are carried forward/remapped. If changed through Azure portal, previous managed-rule customizations such as rule state, rule actions, and rule-level exclusions are reset to the new managed rule set defaults; custom rules, policy settings, and global exclusions remain unaffected. - https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules, https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/upgrade-ruleset-version

Are there known breaking changes or compatibility concerns?

Yes. DRS introduces different rule groups, new rule IDs, removed CRS rules, Microsoft Threat Intelligence rule groups, newer engine behavior, and additional detections. Microsoft provides mapping guidance for legacy CRS rule groups to DRS groups and warns not to copy overrides/exclusions for removed rules. - https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/upgrade-ruleset-version, https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules

Is Microsoft planning a deprecation timeline for OWASP_3.2 on Application Gateway WAF?

Microsoft’s current support policy does **not give a fixed calendar end date for CRS 3.2 yet. It states CRS 3.2 is supported, and its support ends one year after the release of the first DRS version newer than DRS 2.2. - https://learn.microsoft.com/en-us/azure/web-application-firewall/ruleset-support-policy

How to avoid production impact?

Use a controlled migration: inventory current customizations, clone policy, upgrade the clone to DRS 2.2, preserve/remap exclusions and overrides, set new/unknown rules to Log where needed, run Detection/Log validation, inspect WAF logs, tune false positives, then switch production association. Microsoft recommends testing in a non-production environment and using logs/exclusions to tune legitimate traffic. - https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/upgrade-ruleset-version, https://learn.microsoft.com/en-us/troubleshoot/azure/web-application-firewall/web-application-firewall-troubleshoot

Cheers
Faisal Riaz 155 Reputation points

2026-05-18T12:34:35.3066667+00:00

Hi
Would you please follow and read complete discussion trail and answer.
Sina Salam 29,846 Reputation points Volunteer Moderator

2026-05-18T14:11:37.19+00:00
Hello @Faisal Riaz

Thanks for the clarification. You are correct to distinguish the command group for Azure Application Gateway WAF Policy. For more detailed on unanswered questions:

The issue is not that DRS 2.2 cannot be applied to Application Gateway WAF. The key concern is that moving from OWASP_3.2 to Microsoft_DefaultRuleSet_2.2 is a managed ruleset change, and existing OWASP-specific rule overrides or rule-level exclusions may not automatically remain valid because DRS uses different rule groups, includes Microsoft Threat Intelligence rules, and may replace or disable some older OWASP rules. Microsoft states that when changing a WAF policy ruleset version, existing rule action overrides, rule state overrides, and exclusions should be carried forward to the new ruleset version. -https://github.com/luanteylo/dm_web2026/blob/main/exercise-03/dataset/titles.csv, https://www.gofundme.com/f/help-a-sister-6rsmh

For Application Gateway WAF Policy, the correct Azure CLI command group is:

az network application-gateway waf-policy managed-rule rule-set

The direct command to update the ruleset is:

az network application-gateway waf-policy managed-rule rule-set update </span> --policy-name <waf-policy-name> </span> --resource-group <resource-group-name> </span> --type Microsoft_DefaultRuleSet </span> --version 2.2

This command is safer production approach and is to export or clone the existing policy, review and remap the OWASP-specific customizations to DRS 2.2, test in Detection mode, validate logs, then move back to Prevention mode. Microsoft recommends using PowerShell, CLI, REST API, or templates for ruleset changes when preserving overrides and exclusions, and also recommends validating ruleset changes in a test environment before production deployment. - https://learn.microsoft.com/en-us/azure/templates/microsoft.network/applicationgateways, https://github.com/luanteylo/dm_web2026/blob/main/exercise-03/dataset/titles.csv

This solution addresses your actual remaining concerns:

Exact CLI command: The correct command group is az network application-gateway waf-policy managed-rule rule-set update, not az network waf policy update. - https://learn.microsoft.com/en-us/azure/templates/microsoft.network/applicationgateways

Override preservation risk: The direct CLI command can update the ruleset, but it does not remove the need to review and remap OWASP-specific rule overrides and rule-level exclusions. Microsoft advises carrying forward overrides and exclusions when changing ruleset versions. - https://github.com/luanteylo/dm_web2026/blob/main/exercise-03/dataset/titles.csv, https://www.gofundme.com/f/help-a-sister-6rsmh

Safest production method: Export/clone + reviewed redeployment is not the only supported method, but it is the safest operational method because it gives rollback, auditability, and full control over custom rules, exclusions, policy settings, and managed rule overrides. Microsoft recommends defining WAF configuration as code using CLI, PowerShell, Bicep, or Terraform to avoid error-prone manual reconfiguration. - https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-drs, https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/web-application-firewall/ag/application-gateway-crs-rulegroups-rules.md

Useful the below official Microsoft references:

Application Gateway WAF managed rules CLI: https://learn.microsoft.com/en-us/cli/azure/network/application-gateway/waf-policy/managed-rule/rule-set

Application Gateway WAF policy settings CLI: https://learn.microsoft.com/en-us/cli/azure/network/application-gateway/waf-policy/policy-setting

DRS/CRS rule groups and upgrade behavior: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules

Upgrade CRS/DRS ruleset guidance: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/upgrade-ruleset-version

ARM schema for Application Gateway WAF Policy: https://learn.microsoft.com/en-us/azure/templates/microsoft.network/applicationgatewaywebapplicationfirewallpolicies

I hope this helps.

2 answers

Your answer

Faisal Riaz 155 Reputation points

2026-05-14T08:01:25.9966667+00:00

Hi,

Thank you for the detailed explanation. This is very helpful.

I have one follow-up clarification regarding preserving the existing configuration during the migration from OWASP_3.2 to Microsoft_DefaultRuleSet 2.x.

Our current Application Gateway WAF policy has:

OWASP_3.2

Microsoft_BotManagerRuleSet_1.1

Existing exclusions

Potential managed rule overrides / disabled rules

Custom rules

You mentioned that using PowerShell/CLI/ARM/Terraform should preserve rule overrides, exclusions, and custom rules, while using the Azure Portal may reset managed-rule overrides.

Could you please confirm the following:

What is the recommended CLI, PowerShell, or ARM method to update the existing WAF policy from OWASP_3.2 to Microsoft_DefaultRuleSet_2.2 while preserving existing exclusions, custom rules, and managed rule overrides?

Is there an official Microsoft example command or ARM/Bicep snippet for this in-place migration?

If some existing overrides are linked to OWASP-specific rule IDs, will Azure automatically map them to DRS 2.2 rules where possible, or do we need to manually review and recreate those overrides after the migration?

Is there a supported way to export the current WAF policy, update only the managed rule set type/version, and reapply it safely as a rollback-capable process?

For production, would Microsoft recommend switching the policy to Detection mode first, performing the ruleset migration, reviewing logs, and then switching back to Prevention?

We want to avoid using the Azure Portal if it resets managed-rule overrides, so we would like to follow the safest Microsoft-supported scripted approach.

Thanks.
Faisal Riaz 155 Reputation points

2026-05-14T10:53:33.46+00:00

Hi,

Thank you, this is very helpful.

One final clarification please.

In the example provided, the CLI command uses:

az network waf policy update

However, for our Application Gateway WAF Policy, the Azure CLI command group available in our environment appears to be:

az network application-gateway waf-policy

For example, we can run:

az network application-gateway waf-policy show az network application-gateway waf-policy managed-rule rule-set list

Could you please confirm the exact supported Azure CLI command for Application Gateway WAF Policy to migrate from OWASP_3.2 to Microsoft_DefaultRuleSet_2.2?

Specifically, should we use:

az network application-gateway waf-policy managed-rule rule-set update --policy-name --resource-group --type Microsoft_DefaultRuleSet --version 2.2

Also, could you confirm whether this command preserves existing exclusions, custom rules, and managed rule overrides, or whether we should instead export the full policy JSON, modify only properties.managedRules.managedRuleSets, and redeploy it using ARM/Bicep?

We want to avoid accidentally clearing existing managed rule overrides during the migration.

Thanks.
Faisal Riaz 155 Reputation points

2026-05-18T09:15:41.9033333+00:00

Hi **
**I am still waiting for your reply on above comment please.

Thanks****
Faisal Riaz 155 Reputation points

2026-05-18T12:34:35.3066667+00:00

Hi
Would you please follow and read complete discussion trail and answer.

Answer 1

Hi Faisal Riaz,

Thanks for reaching out in Microsoft Q&A forum,

It looks like Azure Advisor is nudging you to move off OWASP CRS 3.2 onto the newer Default Rule Set (DRS 2.x) in your App Gateway WAF. Here’s a breakdown for Application Gateway specifically:

Is OWASP_3.2 still supported and recommended?
- OWASP CRS 3.2 is fully supported on Application Gateway WAF_v2 today, but it’s considered the legacy rule set. You can keep running it, but it won’t get any of the Microsoft Threat Intelligence or false-positive reductions that DRS provides.
Is migration to DRS 2.1/2.2 mandatory or just recommended?
- It’s strongly recommended but not yet enforced. You won’t be blocked if you stay on OWASP_3.2, but you’ll miss out on new protections, CVE-specific rules, and ongoing rule updates.
Can you update your existing WAF policy in-place, or do you need a new one?
- In-place is fine if you use PowerShell/CLI/ARM/Terraform to update the managed ruleset version. That approach preserves your rule overrides, exclusions, and custom rules. If you switch via the Azure portal UI, your managed‐rule overrides will reset to defaults (you’ll have to reapply them), though global exclusions and custom rules stay intact. Many teams clone the policy into a test slot, upgrade there first, then swap.
Will exclusions, disabled rules, and custom rules survive the upgrade?
- Yes as long as you do the update via script or ARM. All your existing rule-action overrides, rule statuses, and exclusion lists carry over. If you do it manually in the portal, only the portal’s managed-rule overrides reset; your custom rules and global exclusions remain.
Any breaking changes or compatibility concerns?
- DRS 2.x brings new Microsoft ThreatIntel rule groups, replaces some OWASP rules, and defaults PL2 rules to disabled (so you start at PL1). You may see new rule IDs or changed logic. Best practice is to switch DRS to Detection (Log) mode first, monitor Azure Monitor or Log Analytics, tune overrides, then flip to Prevention.
Is there a deprecation timeline for OWASP_3.2 on App Gateway WAF?
- No public retirement date has been announced for OWASP 3.2 on Application Gateway. That said, DRS is the only rule set getting ongoing updates, so planning your move now will save you work later.

Best practice rollout steps:

Clone your WAF policy to a staging environment.
Update to DRS 2.x via PowerShell/CLI/ARM in Log mode.
Review WAF logs in Log Analytics, tweak exclusions and overrides.
Once happy, apply the change to production in Prevention mode.

Reference docs:

Upgrade CRS or DRS ruleset version: https://learn.microsoft.com/azure/web-application-firewall/ag/upgrade-ruleset-version
Managed rules in App Gateway WAF: https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules#upgrading-or-changing-ruleset-version
Create/manage WAF policies for App Gateway: https://learn.microsoft.com/azure/web-application-firewall/ag/create-waf-policy-ag
Paranoia Level & tuning guidance: https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules#paranoia-level

Kindly let us know if the above helps or you need further assistance on this issue.

Pleaseand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Hello Faisal Riaz,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are evaluating whether to migrate from OWASP/CRS 3.2 to Microsoft Default Rule Set (DRS 2.x) for Azure Application Gateway WAF.

Regarding your questions: Check the comment.

Therefore, for Azure Application Gateway WAF, OWASP/CRS 3.2 is still supported, but it is not the latest recommended managed rule set. Microsoft recommends using the latest available Microsoft Default Rule Set, currently DRS 2.2, because it includes newer OWASP CRS baseline coverage, Microsoft Threat Intelligence protections, improved detections, and false-positive reduction improvements. https://learn.microsoft.com/en-us/azure/web-application-firewall/ruleset-support-policy, https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules

The Azure Advisor recommendation does not mean an immediate forced migration is required, but it is a valid recommendation and should be planned. CRS 3.2 remains supported under Microsoft’s managed ruleset support policy, but its support will end one year after Microsoft releases the first DRS version newer than DRS 2.2. https://learn.microsoft.com/en-us/azure/web-application-firewall/ruleset-support-policy

To resolve the issue, adhere to:

Clone or export the existing WAF policy before changing production.
Upgrade the cloned policy from OWASP 3.2 to Microsoft_DefaultRuleSet 2.2.
Keep Microsoft_BotManagerRuleSet 1.1 if already configured.
Preserve and remap existing exclusions, disabled rules, and rule overrides.
Do not blindly switch through the Azure portal, because managed-rule customizations can reset when assigning a new managed rule set.
Run the upgraded policy in Detection/Log mode first.
Review Application Gateway WAF logs in Log Analytics.
Tune only confirmed false positives.
Move the policy to Prevention mode after validation and then associate it with production.

After the policy customizations are correctly preserved/remapped and the new DRS rules are validated through WAF logs, the migration to DRS 2.2 can be completed with minimal production risk. -

“You should migrate — but do it carefully.”

https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/upgrade-ruleset-version, https://learn.microsoft.com/en-us/troubleshoot/azure/web-application-firewall/web-application-firewall-troubleshoot, https://learn.microsoft.com/en-us/troubleshoot/azure/application-gateway/log-analytics

I hope this is helpful! Do not hesitate to let me know if you have any other questions, steps or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Share via

Do we need to migrate from OWASP 3.2 to DRS 2.x for Azure Application Gateway WAF?

2 answers

Your answer