Azure – You can now use a central configuration and management point for Azure Firewall

You may already know Azure Firewall, the managed, cloud-based network security solution protecting your Azure virtual network resources.

Well, good news, you can now have a central configuration and management point for Azure Firewall, called Azure Firewall Manager, to help you manage your cloud-based security perimeters.

Azure Firewall Manager works with Azure Virtual WAN Hub (see https://docs.microsoft.com/en-in/azure/virtual-wan/virtual-wan-about#resources to know more about it).

With Azure Firewall Manager you can deploy and manage from a central point multiple Azure Firewall instances across different Azure regions, while being able to integrate with third-party services (like zScaler).

image_thumb[1]

During the public preview, Azure Firewall Manager is available in the following regions:

  • West Europe
  • North Europe
  • France Central
  • France South
  • UK South
  • UK West
  • Australia East
  • Australia Central
  • Australia Central 2
  • Australia Southeast
  • Canada Central
  • East US
  • West US
  • East US 2
  • South Central US
  • West US 2
  • Central US
  • North Central US
  • West Central US

To start using it, you must first register the required network provider using the below command (here I’m using the Cloud Shell so I don’t need to connect to Azure first Smile)

Register-AzProviderFeature -FeatureName AllowCortexSecurity -ProviderNamespace Microsoft.Network

image_thumb

It may take up to 30 minutes to get it registered.

If you have multiple subscription you want to get it register you will need to switch the subscription and run the above command again

Set-AzureRmContext –SubscriptionId <your subscription id>

Once registered, you can then create a new Azure Firewall Manager by searching for Azure Firewall Manager

image_thumb[2]

From there you can create:

  • New Azure Firewall Policies
  • New Secured Virtual Hub
  • Convert existing Hubs

image_thumb[3]

 

You can migrate your existing Azure Firewall configurations to Azure Firewall policies using the below script

$FirewallName = “<your Azure Firewall name>”
$ResourceGroupName = “<your resource group where the Azure Firewall is hosted”
$PolicyName = “<your Azure Policy Name>”
$Location = “<the Azure region>”

$DefaultAppRuleCollectionGroupName = “ApplicationRuleCollectionGroup”
$DefaultNetRuleCollectionGroupName = “NetworkRuleCollectionGroup”
$DefaultNatRuleCollectionGroupName = “NatRuleCollectionGroup”
$ApplicationRuleGroupPriority = 300
$NetworkRuleGroupPriority = 200
$NatRuleGroupPriority = 100

#Helper functions for translating ApplicationProtocol and ApplicationRule
Function GetApplicationProtocolsString
{
    Param([Object[]] $Protocols)
    $output = “”
    ForEach ($protocol in $Protocols) {
        $output += $protocol.ProtocolType + “:” + $protocol.Port + “,”
    }
    return $output.Substring(0, $output.Length – 1)
}

Function GetApplicationRuleCmd
{
    Param([Object] $ApplicationRule)
   
    $cmd = “New-AzFirewallPolicyApplicationRule”
    $cmd = $cmd + ” -Name ” + $ApplicationRule.Name
    $cmd = $cmd + ” -SourceAddress ” + $ApplicationRule.SourceAddresses
   
    if ($ApplicationRule.Description) {
        $cmd = $cmd + ” -Description ” + $ApplicationRule.Description
    }
    if ($ApplicationRule.TargetFqdns) {
        $protocols = GetApplicationProtocolsString($ApplicationRule.Protocols)
        $cmd = $cmd + ” -Protocol ” + $protocols
        $cmd = $cmd + ” -TargetFqdn  ” + $ApplicationRule.TargetFqdns
    }
    if ($ApplicationRule.FqdnTags) {
        $cmd = $cmd + ” -FqdnTag  ” + $ApplicationRule.FqdnTags
    }
   
    return $cmd
}

$azfw = Get-AzFirewall -Name $FirewallName -ResourceGroupName $ResourceGroupName
Write-Host “creating empty firewall policy”
$fwp = New-AzFirewallPolicy -Name $PolicyName -ResourceGroupName $ResourceGroupName -Location $Location -ThreatIntelMode $azfw.ThreatIntelMode
Write-Host $fwp.Name “created”
Write-Host “creating ” $azfw.ApplicationRuleCollections.Count ” application rule collections”

#Translate ApplicationRuleCollection
If ($azfw.ApplicationRuleCollections.Count -gt 0) {
    $firewallPolicyAppRuleCollections = @()
    ForEach ($appRc in $azfw.ApplicationRuleCollections) {
        If ($appRc.Rules.Count -gt 0) {
            Write-Host “creating ” $appRc.Rules.Count ” application rules for collection ” $appRc.Name
            $firewallPolicyAppRules = @()
            ForEach ($appRule in $appRc.Rules) {
                $cmd = GetApplicationRuleCmd($appRule)
                $firewallPolicyAppRule = Invoke-Expression $cmd
                Write-Host “Created appRule ” $firewallPolicyAppRule.Name
                $firewallPolicyAppRules += $firewallPolicyAppRule
            }
            $fwpAppRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $appRC.Name -Priority $appRC.Priority -ActionType $appRC.Action.Type -Rule $firewallPolicyAppRules
            Write-Host “Created appRuleCollection ”  $fwpAppRuleCollection.Name
        }
        $firewallPolicyAppRuleCollections += $fwpAppRuleCollection
    }
    $appRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultAppRuleCollectionGroupName -Priority $ApplicationRuleGroupPriority -RuleCollection $firewallPolicyAppRuleCollections -FirewallPolicyObject $fwp
    Write-Host “Created ApplicationRuleCollectionGroup ”  $appRuleGroup.Name
}

#Translate NetworkRuleCollection
Write-Host “creating ” $azfw.NetworkRuleCollections.Count ” network rule collections”
If ($azfw.NetworkRuleCollections.Count -gt 0) {
    $firewallPolicyNetRuleCollections = @()
    ForEach ($rc in $azfw.NetworkRuleCollections) {
        If ($rc.Rules.Count -gt 0) {
            Write-Host “creating ” $rc.Rules.Count ” network rules for collection ”  $rc.Name
            $firewallPolicyNetRules = @()
            ForEach ($rule in $rc.Rules) {
                $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
                Write-Host “Created network rule ” $firewallPolicyNetRule.Name
                $firewallPolicyNetRules += $firewallPolicyNetRule
            }
            $fwpNetRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $rc.Name -Priority $rc.Priority -ActionType $rc.Action.Type -Rule $firewallPolicyNetRules
            Write-Host “Created NetworkRuleCollection ”  $fwpNetRuleCollection.Name
        }
        $firewallPolicyNetRuleCollections += $fwpNetRuleCollection
    }
    $netRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNetRuleCollectionGroupName -Priority $NetworkRuleGroupPriority -RuleCollection $firewallPolicyNetRuleCollections -FirewallPolicyObject $fwp
    Write-Host “Created NetworkRuleCollectionGroup ”  $netRuleGroup.Name
}

#Translate NatRuleCollection
# Hierarchy for NAT rule collection is different for AZFW and FirewallPOlicy. In AZFW you can have a NatRuleCollection with multiple NatRules
# where each NatRule will have its own set of source , dest, tranlated IPs and ports.
# In FirewallPolicy a NatRuleCollection has a a set of rules which has one condition (source and dest IPs and Ports) and the translated IP and ports
# as part of NatRuleCollection.
# So when translating NAT rules we will have to create separate ruleCollection for each rule in AZFW and every ruleCollection will have only 1 rule.

Write-Host “creating ” $azfw.NatRuleCollections.Count ” network rule collections”
If ($azfw.NatRuleCollections.Count -gt 0) {
    $firewallPolicyNatRuleCollections = @()
    $priority = 100
    ForEach ($rc in $azfw.NatRuleCollections) {
        If ($rc.Rules.Count -gt 0) {
            Write-Host “creating ” $rc.Rules.Count ” nat rules for collection ”  $rc.Name
            ForEach ($rule in $rc.Rules) {
                $firewallPolicyNatRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
                Write-Host “Created nat rule ” $firewallPolicyNatRule.Name
                $natRuleCollectionName = $rc.Name+$rule.Name
                $fwpNatRuleCollection = New-AzFirewallPolicyNatRuleCollection -Name $natRuleCollectionName -Priority $priority -ActionType $rc.Action.Type -Rule $firewallPolicyNatRule -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort
                $priority += 1
                Write-Host “Created NatRuleCollection ”  $fwpNatRuleCollection.Name
                $firewallPolicyNatRuleCollections += $fwpNatRuleCollection
            }
        }   
    }
    $natRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNatRuleCollectionGroupName -Priority $NatRuleGroupPriority -RuleCollection $firewallPolicyNatRuleCollections -FirewallPolicyObject $fwp
    Write-Host “Created NatRuleCollectionGroup ”  $natRuleGroup.Name
}

Benoit Hamet
Benoit Hamet
Benoit is working on Microsoft collaborative technologies He has been awarded as MVP for more than 12 years Currently MVP on Office 365 after being awarded on SharePoint (2011-2012) and Windows client & server (2002-2007) Speaker at various Microsoft events (TechDays, TechNet seminars) and Quest Software He works on on-premises (Active Directory, RADIUS/NPS, Exchange, Skype for Business, SharePoint, SQL, Terminal Server, Windows client and Windows Server) or online (Azure, Intune, Office 365, Exchange Online, SharePoint Online, Skype for Business Online, Teams) technologies

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Book a Demo

Your Name (required)

Your Email (required)

Phone Number(Optional)

Ask a Question

Your Name (required)

Your Email (required)

Phone Number(Optional)

Your Message

Book Assessment

Evaluate your modern workplace security posture and validate it against current best practices with a Microsoft Secure Score Assessment, from cubesys

Your Name (required)

Your Email (required)

Phone Number(Optional)

Book your Windows Analytics Deployment

Your Name (required)

Your Email (required)

Phone Number(Optional)