When it comes to automation, there are number of scenarios which come to your mind. It may be simply using PowerShell to manage your Azure Firewall (e.g. getting Azure Firewall resources information, retrieving rule collection, adding a new rule or so on). More advanced, it can be a scheduled automation job running to continuously maintain Azure Firewall. And if we were to reflect to DevOps, the automation would be a CICD pipeline for the security operation team to deploy, maintain, update and monitor network/application rules continuously in a collaborative development environment.
The first article of Azure Firewall (Public Preview) Automation series, we will look into using Microsoft PowerShell in order to create, deploy and manage Azure Firewall resources.
Disclaimer: the series is written specifically for Azure Firewall in public preview. Technical information may be out of date when Azure Firewall goes GA (General Availability). I will try to continuously maintain the information to ensure more accurate.
PowerShell module
To work with Azure Firewall (Public Preview) using PowerShell, you must update or install AzureRm.Network 6.4.0-preview. This is the only version where supported cmdlets are available. The module with version 6.4.0 or the latest one (6.4.1) doesn’t include Azure Firewall (Public Preview) cmdlet.
AzureRm.Profile must be equal or greater than 5.3.3 prior to using AzureRm.Network 6.4.0-preview.
Pre-requisites
Before Azure Firewall (Public Preview) cmdlets can be used, you need to register two features name underMicrosoft.Network resource provider:
- AllowRegionalGatewayManagerForSecureGateway
- AzureAzureFirewall
Register-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway -ProviderNamespace Microsoft.Network Register-AzureRmProviderFeature -FeatureName AllowAzureFirewall -ProviderNamespace Microsoft.Network
To verify, run the following commands and ensure the RegistrationState is Registered.
Get-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway -ProviderNamespace Microsoft.Network Get-AzureRmProviderFeature -FeatureName AllowAzureFirewall -ProviderNamespace Microsoft.Network
While the above command can be used, you can quickly use try…catch to check the registration state.
try {
$appRegistrationState = Get-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway `
-ProviderNamespace Microsoft.Network
$networkRegistrationState = Get-AzureRmProviderFeature -FeatureName AllowAzureFirewall `
-ProviderNamespace Microsoft.Network
if ($appRegistrationState.RegistrationState -ne "Registered") {
Register-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway -ProviderNamespace Microsoft.Network
}
if ($networkRegistrationState.RegistrationState -ne "Registered") {
Register-AzureRmProviderFeature -FeatureName AllowAzureFirewall -ProviderNamespace Microsoft.Network
}
while ($appRegistrationState.RegistrationState -eq "Unregistered") {
$appRegistrationState = Get-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway `
-ProviderNamespace Microsoft.Network
Write-Host "The Firewall application rule provider is:"$appRegistrationState.RegistrationState""
Start-Sleep -Seconds 3
}
while ($networkRegistrationState.RegistrationState -eq "Registering") {
$networkRegistrationState = Get-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway `
-ProviderNamespace Microsoft.Network
Write-Host "The Firewall network rule provider is:"$networkRegistrationState.RegistrationState""
Start-Sleep -Seconds 3
}
Register-AzureRmResourceProviderR-ProviderNamespace Microsoft.Network
}
catch {
Write-Host $_.Exception.Message -ForegroundColor Yellow
}
List all supported cmdlets
To list all supported cmdlets for Azure Firewall (Public Preview), run the following command:
Get-Command -Name *AzureRmFirewall*
There are 8 cmdlets available in module:
- Get-AzureRmFirewall : used to get Azure Firewall resource information.
- New-AzureRmFirewall : used to create a new Azure Firewall resource.
- New-AzureRmFirewallApplicationRule : used to create a new application rule
- New-AzureRmFirewallApplicationRuleCollection : used to create a new application rule collection
- New-AzureRmFirewallNetworkRule : used to create a new network rule.
- New-AzureRmFirewallNetworkRuleCollection : used to create a new network rule collection
- Remove-AzureRmFirewall : used to remove an existing Azure Firewall resource.
- Set-AzureRmFirewall : used to update Azure Firewall resource including application and network rule and collection rule.
Create a new Azure Firewall
To basically create a new Azure Firewall resource, you can simply run the following script:
$rgName = 'corp-rg' $location = 'westus' $vNetName = 'vnet01-sec' $vNet = Get-AzureRmVirtualNetwork -ResourceGroupName $rgName -Name $vNetName $fwName = 'fw01' $pipName = 'fw01-pip' $pip = Get-AzureRmPublicIpAddress -Name $pipName -ResourceGroupName $rgName New-AzureRmFirewall -Name $fwName ` -ResourceGroupName $rgName ` -Location $location ` -VirtualNetworkName $vNet.Name ` -PublicIpName $pip.Name
The following parameters are required:
- Location (string): region where the new Azure Firewall resource is going to be deployed.
- Name (string): name of the new Azure Firewall resource.
- PublicIPName (string): the reserved public IP address for the new Azure Firewall resource. Ensure it’s Standard SKU and must belong to the same resource group.
- ResourceGroupName (string): name of the resource group which contains your Azure Firewall resource.
- Virtual Network: Specifies the name of the virtual network for which the Firewall will be deployed. Virtual network and Firewall must belong to the same resource
group
Beyond, New–AzureRmFirewall cmdlet also provide the following optional parameters:
- ApplicationRuleCollection (list): the collection of application rules for the new Azure Firewall resource. The collection must be created prior to creating a new Azure Firewall resource.
- NetworkRuleCollection (list): the collection of network rules for the new Azure Firewall resource. It must be created prior to creating a new Azure Firewall resource.
- AsJob: used to run cmdlet in the background
- DefaultProfile: used to specify your Azure context profile
- Force: used to force the command to be run which out asking for user confirmation.
- Tag (hashtable): key-value pairs in the form of a hashtable in order to tag your Azure Firewall resource.
- Confirm: used to prompt for configuration before running the cmdlet
- WhatIf: used to show what would happen if the cmdlet runs.
There are also common parameters such as Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable supported naturally in this cmdlet.
A bit helpful tip to verify resource group name for Public IP address and Virtual Network and AzureFirewallSubnet subnet before creating a new Azure Firewall resource:
$rgName = 'pentest-rg'
$location = 'westus'
$vNetName = 'vnet-sec'
$vNet = Get-AzureRmVirtualNetwork -ResourceGroupName $rgName -Name $vNetName
$fwName = 'fw01'
$pipName = 'azFirewall01'
$pip = Get-AzureRmPublicIpAddress -Name $pipName -ResourceGroupName $rgName
if ($pip.ResourceGroupName -ne $rgName -or $vNet.ResourceGroupName -ne $rgName -and $vnet.Subnets.Name -notcontains "AzureFirewallSunet" ) {
Write-Output "Can't create Azure Firewall"
}
else {
New-AzureRmFirewall -Name $fwName `
-ResourceGroupName $rgName `
-Location $location `
-VirtualNetworkName $vNet.Name `
-PublicIpName $pip.Name
}
Retrieving Azure Firewall information
Azure Firewall information can be retrieved using Get–AzureRmFirewall cmdlet. This cmdlet only use the following parameters:
- Name: name of the Azure Firewall you need to retrieve
- ResourceGroupName: the resource group your Azure Firewall belongs to
DefaultProfile is still an option. Get-AzureRmFirewall also supports common parameters (e.g. Verbose..).
If you don’t specify name or resource group, the output returns all Azure Firewall resources in the given context of subscription.
If you want to list all Azure Firewall resources in a specific resource group, simply run:
$rgName = 'pentest-rg' Get-AzureRmFirewall -ResourceGroupName $rgName
If you want to retrieve a specific Azure Firewall resource, provide the name and resource group
$fwName = "fw01" $rgName = 'pentest-rg' $azFirewall = Get-AzureRmFirewall -Name $fwName -ResourceGroupName $rgName Write-Host "Found an Azure Firewall named:" $azFirewall.Name
The output format of the cmdlet is similar to other resources in which you can read to each property to get specific value.
Write-Host "The Azure Firewall name is:" $azFirewall.Name Write-Host "The Azure Firewall resource id is": $azFirewall.Id Write-Host "The Azure Firewall belongs to": $azFirewall.ResourceGroupName "resource group" Write-Host "The Azure Firewall is located": $azFirewall.Location
Create an application rule
Azure Firewall is useless without rules to be run. New-AzureRmFirewallApplicationRule cmdlet allows you to create individual application rule before associating it to an application collection rule. The cmdlet requires the following parameters:
- Name: name of your application rule. This name must be unique inside a rule collection
- Protocol: protocol of the application rule which Azure Firewall is used for filtering. The supported protocols are HTTP and HTTPs.
- SourceAddress: source address of the application rule. It can be set wildcard (*) as All.
- TargetFqdn: it is a domain name of the application rule which Azure Firewall is used for filtering. Review Quick look at Azure Firewall article for some important notes.
The following parameters are optional:
- DefaultProfile: it’s a context of the given subscription
- Description: description of your application rule.
- Confirm: prompts you for confirmation before running the cmdlet
- WhatIf: shows what would happen if the cmdlet runs
Other common parameters such as Verbose, Debug are supported in this cmdlet.
To create a new application rule, simply run:
$rule = New-AzureRmFirewallApplicationRule -Name GitHub ` -SourceAddress * ` -Protocol Http:80, Https:443 ` -TargetFqdn *.github.com Write-Output $rule
Creating an application rule collection
A collection contains list of grouped application rules, for example a collection of blocked malicious hosts. To create an application rule collection, use New-AzureRmFirewallApplicationRuleCollection cmdlet. The following parameters are required:
- Name: name of the application rule collection (e.g. Blacklist).
- Priority: the priority of this rule. The value can be between 100 and 65000. The smaller the number, the bigger the priority.
- Rule: this is the application rule you already created. The type of this parameter is List so you can assign an individual rule, or a list of rules.
- ActionType: this is the action of the application rule collection. Currently this parameter supports two values: Denyor Allow.
- DefaultProfile: it’s a context of the given subscription
- Confirm: prompts you for confirmation before running the cmdlet
- WhatIf: shows what would happen if the cmdlet runs.
Other common parameters such as Verbose, Debug are supported in this cmdlet.
Followed by the rule you already created earlier, run the following script to create a new application rule collection which contains the rule
$ruleCollection = New-AzureRmFirewallApplicationRuleCollection -Name BlackList ` -Priority 300 ` -Rule $rule ` -ActionType "Deny" Write-Output $ruleCollection
Now you have a collection which contains a rule. To set the collection rule for your existing Azure Firewall resource, you can access to ApplicationRuleCollection property to assign the newly created collection rule’s value, then use Set-AzureRmFirewall cmdlet :
$azFirewall.ApplicationRuleCollections = $ruleCollection Set-AzureRmFirewall -AzureFirewall $azFirewall
Create a network rule
To create a network rule in Azure Firewall, use New-AzureRmFirewallNetworkRule cmdlet. This cmdlet comes with the following required parameters:
- SourceAddress: source addresses of the rule
- DestinationAddress: the destination address of the network rule
- DestinationPort: the destination ports of the network rule
- Name: name of the network rule
- Protocol: protocol to be filtered by Azure Firewall. TCP, UDP, ICMP and Any are supported values. This is case-sensitive value and must be uppercase.
The following parameters are optional:
- DefaultProfile: a context of given subscription
- Description: description of your network rule
- Confirm: prompt you for confirmation before running the cmdlet
- WhatIf: show what would happen if the cmdlet runs.
Other common parameters such as Verbose, Debug are supported in this cmdlet.
To create a new network rule, simply run:
$maliciousAdd = New-AzureRmFirewallNetworkRule -Name "trojan-source" ` -Description "block malicious source" ` -Protocol TCP ` -SourceAddress "*" ` -DestinationAddress 5.135.115.193 ` -DestinationPort 8080 Write-Output $maliciousAdd
Create a network rule collection
A collection contains list of grouped network rules, for example a collection of blocked malicious IP addresses. To create a network rule collection, use New-AzureRmFirewallNetworkRuleCollection . The following parameters are required:
- Name: name of the network rule collection (e.g. IP Blacklist).
- Priority: the priority of this rule. The value can be between 100 and 65000. The smaller the number, the bigger the priority.
- Rule: this is the network rule you already created. The type of this parameter is List so you can assign an individual rule, or a list of rules.
- ActionType: this is the action of the network rule collection. Currently this parameter supports two values: Deny or Allow.
The following parameters are optional:
- DefaultProfile: it’s a context of the given subscription
- Confirm: prompts you for confirmation before running the cmdlet
- WhatIf: shows what would happen if the cmdlet runs.
Other common parameters such as Verbose, Debug are supported in this cmdlet.
Followed by the rule you already created earlier, run the following script to create a new network rule collection which contains the rule:
$ipBlacklistCollection = New-AzureRmFirewallNetworkRuleCollection ` -Name "ip-blacklist-collection" ` -Priority 300 ` -Rule $maliciousAdd ` -ActionType "Deny" Write-Output $ipBlacklistCollection
To set the collection rule for your existing Azure Firewall resource, you can access to ApplicationRuleCollection property to assign the newly created collection rule’s value, then use Set-AzureRmFirewall cmdlet:
$azFirewall.NetworkRuleCollections = $ipBlacklistCollection Set-AzureRmFirewall -AzureFirewall $azFirewall
Remove Azure Firewall resource
You may not need Azure Firewall running once your test is done because it charges $0.625/Hour which sounds pricey. Use Remove-AzureRmFirewall cmdlet to remove Azure Firewall resource. The cmdlet comes with the following required parameters:
- Name: name of the Azure Firewall resource you want to remove.
- ResourceGroupName: the resource group name where the Azure Firewall belongs to
Beyond, Remove-AzureRmFirewall cmdlet also provide the following optional parameters:
- AsJob: used to run cmdlet in the background
- DefaultProfile: used to specify your Azure context profile
- Force: used to force the command to be run which out asking for user confirmation.
- PassThru: returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.
- Confirm: used to prompt for configuration before running the cmdlet
- WhatIf: used to show what would happen if the cmdlet runs.
There are also common parameters including Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable supported naturally in this cmdlet.
$fwName = "fw01" $rgName = 'pentest-rg' Remove-AzureRmFirewall -Name $fwName -ResourceGroupName $rgName
Stop/Start Azure Firewall
One of the very interesting features coming with Azure Firewall – a managed service is that you can deallocate (stop) or allocate (start) your Azure Firewall. If you don’t want to remove Azure Firewall, you can set Deallocated state for the firewall to remove running. With this, charge doesn’t occur.
$fwName = "fw01" $rgName = 'pentest-rg' $azFirewall = Get-AzureRmFirewall -ResourceGroupName $rgName -Name $fwName $azFirewall.Deallocate()
If you want to get it back, simply use Allocate() method
$fwName = "fw01" $rgName = 'pentest-rg' $azFirewall = Get-AzureRmFirewall -ResourceGroupName $rgName -Name $fwName $azFirewall.Allocate()
Conclusion
This article gives you basic command to work with Azure Firewall (Public Preview) resources. The upcoming article will give you more advanced scripts to help you effectively manage and operate your Azure Firewall resource. Stay tuned!
About the Author:
Thuan has nearly 10 years of experience spanning across industry of Information Technology and Services and 4 years of experiences working with Singapore governments in which his responsibilities include technical evangelism, pre-sales activities, proof-of-concept mentoring, technical support, security design to architecting the entire solution, having focused primarily on Microsoft Stack. Playing as an independent technology consultant role, Thuan has had great opportunities to work with large companies from USA, Europe, Japan and Singapore.
Thuan spends his spare time reading awesome books. He is regularly on Twitter (http://twitter.com/nnthuan) and blogs at http://thuansoldier.net
Reference:
Soldier, T (2018). Azure Firewall (Public Preview) Automation – Part 1. Available at: https://thuansoldier.net/7858/. [Accessed 15 August 2018]
