Azure · YanaXu · Apr 25, 2024 · Mar 21, 2024 · Apr 2, 2024 · Apr 22, 2024
diff --git a/src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.cs b/src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.cs
@@ -341,6 +341,14 @@ public void TestApplicationGatewayFirewallPolicyWithInspectionLimit()
             TestRunner.RunTestScript("Test-ApplicationGatewayFirewallPolicyWithInspectionLimit");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]
+        public void TestApplicationGatewayFirewallPolicyWithJSChallenge()
+        {
+            TestRunner.RunTestScript("Test-ApplicationGatewayFirewallPolicyWithJSChallenge");
+        }
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         [Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]

diff --git a/src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1 b/src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1
@@ -5337,6 +5337,53 @@ function Test-ApplicationGatewayFirewallPolicyWithInspectionLimit
 	}
 }
 
+function Test-ApplicationGatewayFirewallPolicyWithJSChallenge
+{
+	# Setup
+	$location = Get-ProviderLocation "Microsoft.Network/applicationGateways" "West US 2"
+	$rgname = Get-ResourceGroupName
+	$wafPolicyName = "wafPolicy1"
+
+	try {
+
+		$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "APPGw tag"}
+
+		# WAF Policy with custom Rule
+		$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestHeaders -Selector Malicious-Header
+		$condition =  New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator Any -NegationCondition $False
+		$customRule = New-AzApplicationGatewayFirewallCustomRule -Name example -Priority 2 -RuleType MatchRule -MatchCondition $condition -Action Block
+
+		$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -MaxFileUploadInMb 70 -MaxRequestBodySizeInKb 70 -JSChallengeCookieExpirationInMins 100
+		$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType "OWASP" -RuleSetVersion "3.2"
+		$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet 
+		New-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname -Location $location -ManagedRule $managedRule -PolicySetting $policySettings -CustomRule $customRule
+
+		$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname
+
+		# Check WAF policy
+		Assert-AreEqual $policy.CustomRules[0].Name $customRule.Name
+		Assert-AreEqual $policy.CustomRules[0].RuleType $customRule.RuleType
+		Assert-AreEqual $policy.CustomRules[0].Action $customRule.Action
+		Assert-AreEqual $policy.CustomRules[0].Priority $customRule.Priority
+		Assert-AreEqual $policy.CustomRules[0].State "Enabled"
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].OperatorProperty $customRule.MatchConditions[0].OperatorProperty
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].NegationConditon $customRule.MatchConditions[0].NegationConditon
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchVariables[0].VariableName $customRule.MatchConditions[0].MatchVariables[0].VariableName
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchVariables[0].Selector $customRule.MatchConditions[0].MatchVariables[0].Selector
+		Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
+		Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
+		Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
+		Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
+		Assert-AreEqual $policy.PolicySettings.State $policySettings.State
+		Assert-AreEqual $policy.PolicySettings.JSChallengeCookieExpirationInMins $policySettings.JSChallengeCookieExpirationInMins
+	}
+	finally
+	{
+		# Cleanup
+		Clean-ResourceGroup $rgname
+	}
+}
+
 function Test-ApplicationGatewayFirewallPolicyCustomRuleRemoval
 {
 	# Setup

diff --git a/...rioTests.ApplicationGatewayTests/TestApplicationGatewayFirewallPolicyWithJSChallenge.json b/...rioTests.ApplicationGatewayTests/TestApplicationGatewayFirewallPolicyWithJSChallenge.json
diff --git a/src/Network/Network/ChangeLog.md b/src/Network/Network/ChangeLog.md
@@ -30,6 +30,8 @@
 * Added a new AuxiliaryMode value `AuxiliaryMode.Floating`
 * Added support for AzureFirewallPacketCapture
 * Added support of `UserAssignedIdentityId` Property in New-AzNetworkWatcherFlowLog and Set-AzNetworkWatcherFlowLog commands
+* Updated cmdlet to add the property of JSChallengeCookieExpirationInMins
+    - `New-AzApplicationGatewayFirewallPolicySetting`
 
 ## Version 7.3.0
 * Fixed a few minor issues

diff --git a/...ork/Network/FirewallPolicy/PolicySettings/AzureApplicationGatewayFirewallPolicySetting.cs b/...ork/Network/FirewallPolicy/PolicySettings/AzureApplicationGatewayFirewallPolicySetting.cs
@@ -72,6 +72,11 @@ public class AzureApplicationGatewayFirewallPolicySetting : NetworkBaseCmdlet
         [ValidateNotNullOrEmpty]
         public PSApplicationGatewayFirewallPolicyLogScrubbingConfiguration LogScrubbing { get; set; }
 
+        [Parameter(Mandatory = false, HelpMessage = "Web Application Firewall JavaScript Challenge Cookie Expiration time in minutes.")]
+        [ValidateNotNullOrEmpty]
+        [ValidateRange(5,1440)]
+        public int? JSChallengeCookieExpirationInMins { get; set; }
+
         public override void ExecuteCmdlet()
         {
             base.ExecuteCmdlet();
@@ -124,7 +129,10 @@ public override void ExecuteCmdlet()
                 this.CustomBlockResponseBody = null;
             }
 
-
+            if (!this.MyInvocation.BoundParameters.ContainsKey("JSChallengeCookieExpirationInMins"))
+            {
+                this.JSChallengeCookieExpirationInMins = (int?)null;
+            }
         }
 
         protected PSApplicationGatewayFirewallPolicySettings NewObject()
@@ -160,7 +168,8 @@ protected PSApplicationGatewayFirewallPolicySettings NewObject()
                 FileUploadLimitInMb = this.MaxFileUploadInMb,
                 CustomBlockResponseBody = this.CustomBlockResponseBody,
                 CustomBlockResponseStatusCode = this.CustomBlockResponseStatusCode,
-                LogScrubbing = this.LogScrubbing
+                LogScrubbing = this.LogScrubbing,
+                JSChallengeCookieExpirationInMins = this.JSChallengeCookieExpirationInMins
             };
         }
     }

diff --git a/src/Network/Network/Models/PSApplicationGatewayFirewallPolicySettings.cs b/src/Network/Network/Models/PSApplicationGatewayFirewallPolicySettings.cs
@@ -54,5 +54,8 @@ public partial class PSApplicationGatewayFirewallPolicySettings
 
         [Ps1Xml(Target = ViewControl.Table)]
         public PSApplicationGatewayFirewallPolicyLogScrubbingConfiguration LogScrubbing { get; set; }
+
+        [Ps1Xml(Target = ViewControl.Table)]
+        public int? JSChallengeCookieExpirationInMins { get; set; }
     }
 }
diff --git a/src/Network/Network/help/New-AzApplicationGatewayFirewallPolicySetting.md b/src/Network/Network/help/New-AzApplicationGatewayFirewallPolicySetting.md
@@ -18,6 +18,7 @@ New-AzApplicationGatewayFirewallPolicySetting [-Mode <String>] [-State <String>]
  [-MaxRequestBodySizeInKb <Int32>] [-DisableFileUploadEnforcement <Boolean>] [-MaxFileUploadInMb <Int32>]
  [-CustomBlockResponseStatusCode <Int32>] [-CustomBlockResponseBody <String>]
  [-LogScrubbing <PSApplicationGatewayFirewallPolicyLogScrubbingConfiguration>]
+ [-JSChallengeCookieExpirationInMins <Int32>]
  [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
 ```
 
@@ -31,23 +32,32 @@ The **New-AzApplicationGatewayFirewallPolicySetting** creates a policy settings
 $condition = New-AzApplicationGatewayFirewallPolicySetting -State $enabledState -Mode $enabledMode -DisableRequestBodyCheck -MaxFileUploadInMb $fileUploadLimitInMb -MaxRequestBodySizeInKb $maxRequestBodySizeInKb
 ```
 
-The command creates a policy setting with state as $enabledState, mode as $enabledMode, RequestBodyCheck as false, FileUploadLimitInMb as $fileUploadLimitInMb and MaxRequestBodySizeInKb as $$maxRequestBodySizeInKb.
+The command creates a policy setting with state as $enabledState, mode as $enabledMode, RequestBodyCheck as false, FileUploadLimitInMb as $fileUploadLimitInMb and MaxRequestBodySizeInKb as $maxRequestBodySizeInKb.
 The new policySettings is stored to $condition.
 
 ### Example 2
 ```powershell
 $condition = New-AzApplicationGatewayFirewallPolicySetting -State $enabledState -Mode $enabledMode -DisableRequestBodyCheck -MaxFileUploadInMb $fileUploadLimitInMb -MaxRequestBodySizeInKb $maxRequestBodySizeInKb -LogScrubbing $logScrubbingRuleConfig
 ```
 
-The command creates a policy setting with state as $enabledState, mode as $enabledMode, RequestBodyCheck as false, FileUploadLimitInMb as $fileUploadLimitInMb and MaxRequestBodySizeInKb as $$maxRequestBodySizeInKb with a scrubbing rule as $logScrubbingRuleConfig.
+The command creates a policy setting with state as $enabledState, mode as $enabledMode, RequestBodyCheck as false, FileUploadLimitInMb as $fileUploadLimitInMb and MaxRequestBodySizeInKb as $maxRequestBodySizeInKb with a scrubbing rule as $logScrubbingRuleConfig.
 The new policySettings is stored to $condition.
 
 ### Example 3
 ```powershell
 $condition = New-AzApplicationGatewayFirewallPolicySetting -State $enabledState -Mode $enabledMode -DisableRequestBodyEnforcement true -RequestBodyInspectLimitInKB 2000 -DisableRequestBodyCheck -MaxFileUploadInMb $fileUploadLimitInMb -DisableFileUploadEnforcement true -MaxRequestBodySizeInKb $maxRequestBodySizeInKb
 ```
 
-The command creates a policy setting with state as $enabledState, mode as $enabledMode, RequestBodyEnforcement as false, RequestBodyInspectLimitInKB as 2000, RequestBodyCheck as false, FileUploadLimitInMb as $fileUploadLimitInMb, FileUploadEnforcement as false and MaxRequestBodySizeInKb as $$maxRequestBodySizeInKb.
+The command creates a policy setting with state as $enabledState, mode as $enabledMode, RequestBodyEnforcement as false, RequestBodyInspectLimitInKB as 2000, RequestBodyCheck as false, FileUploadLimitInMb as $fileUploadLimitInMb, FileUploadEnforcement as false and MaxRequestBodySizeInKb as $maxRequestBodySizeInKb.
+The new policySettings is stored to $condition.
+
+### Example 4
+```powershell
+$condition = New-AzApplicationGatewayFirewallPolicySetting -State $enabledState -Mode $enabledMode -DisableRequestBodyCheck -MaxFileUploadInMb $fileUploadLimitInMb -MaxRequestBodySizeInKb $maxRequestBodySizeInKb -JSChallengeCookieExpirationInMins $jsChallengeCookieExpirationInMins
+```
+
+The command creates a policy setting with state as $enabledState, mode as $enabledMode, RequestBodyCheck as false, FileUploadLimitInMb as $fileUploadLimitInMb and MaxRequestBodySizeInKb as $maxRequestBodySizeInKb, JSChallengeCookieExpirationInMins as $jsChallengeCookieExpirationInMins.
+The new policySettings is stored to $condition.
 
 ## PARAMETERS
 
@@ -217,6 +227,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -JSChallengeCookieExpirationInMins
+Web Application Firewall JavaScript Challenge Cookie Expiration time in minutes.
+
+```yaml
+Type: System.Nullable`1[System.Int32]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -State
 State variable in policy settings of the firewall policy.
 

diff --git a/tools/StaticAnalysis/Exceptions/Az.Network/SignatureIssues.csv b/tools/StaticAnalysis/Exceptions/Az.Network/SignatureIssues.csv
@@ -446,3 +446,4 @@
 "Az.Network","Microsoft.Azure.Commands.Network.UpdateAzureRmP2SVpnGatewayCommand","Update-AzP2sVpnGateway","1","8700","Parameter set 'ByP2SVpnGatewayResourceIdNoVpnServerConfigurationUpdate', 'ByP2SVpnGatewayResourceIdByVpnServerConfigurationObject' of cmdlet 'Update-AzP2sVpnGateway' have the same mandatory parameters, and both of them are not default parameter set which may cause confusion.","Merge these parameter sets into one parameter set."
 "Az.Network","Microsoft.Azure.Commands.Network.Bastion.NewAzBastionCommand","New-AzBastion","1","8410","Parameter EnableKerberos of cmdlet New-AzBastion does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name."
 "Az.Network","Microsoft.Azure.Commands.Network.Bastion.SetAzBastionCommand","Set-AzBastion","1","8410","Parameter EnableKerberos of cmdlet Set-AzBastion does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name."
+"Az.Network","Microsoft.Azure.Commands.Network.NewAzureApplicationGatewayFirewallPolicySettingCommand","New-AzApplicationGatewayFirewallPolicySetting","1","8410","Parameter JSChallengeCookieExpirationInMins of cmdlet New-AzApplicationGatewayFirewallPolicySetting does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name."