Azure Firewall (Public Preview) Automation – Part 2

Posted on 08/10/2018 by azsec

The previous article gave you all available cmdlets used to create and manage Azure Firewall (Public Preview) resources along with its configuration (application and network rule).

In this article, we will look into a bit more advanced script specifically focused on working with Azure Firewall configurations.

Create multiple application rules

The previous article gave you the way to create a single rule and associate to the application rule collection. In a real-world case, you may want to create multiple rules at the same time and associate to a new or an existing application rule collection. To do so, you simply need to create a list object, then have multiple rules added to the list. See the example:

$youTubeRule = New-AzureRmFirewallApplicationRule -Name YouTube `
                                   -SourceAddress * `
                                   -Protocol Http:80, Https:443 `
                                   -TargetFqdn *.youtube.com

$googleRule = New-AzureRmFirewallApplicationRule -Name Google `
                                   -SourceAddress * `
                                   -Protocol Http:80, Https:443 `
                                   -TargetFqdn *.google.com

$facebookRule = New-AzureRmFirewallApplicationRule -Name Facebook `
                                   -SourceAddress * `
                                   -Protocol Http:80, Https:443 `
                                   -TargetFqdn *.facebook.com

$ruleSet = @($youTubeRule, $googleRule, $facebookRule)


$generalWebCollection = New-AzureRmFirewallApplicationRuleCollection -Name GeneralWebCollection `
-Priority 400 `
-Rule $ruleSet  `
-ActionType "Allow"

$azFirewall.ApplicationRuleCollections = $generalWebCollection
Set-AzureRmFirewall -AzureFirewall $azFirewall

Add a rule to the existing application rule collection

In a daily basis of security operation, you’d need to add a new application rule to the existing rule collection without making any impact on the existing configuration. To achieve this, you can use AddRule() method in application rule collection object. The following script shows you the way to add a new rule to the existing rule collection:

$microsoftRule = New-AzureRmFirewallApplicationRule -Name Microsoft `
                                   -SourceAddress * `
                                   -Protocol Http:80, Https:443 `
                                   -TargetFqdn *.microsoft.com

$existingRuleCollection = $azFirewall.ApplicationRuleCollections
$existingRuleCollection.AddRule($microsoftRule)

Set-AzureRmFirewall -AzureFirewall $azFirewall

If you have more than one rule collection, you must retrieve existing rule collection of all, then add your rule correspondingly. Unless the new rule collection will overwrite to the existing one. There are two methods to get application rule collection:

  • GetApplicationRuleCollectionByName() : allows you to retrieve specific application rule collection by name
  • GetApplicationRuleCollectionByPriority() : allows you to retrieve specific application rule collection by pirority

The sample script gives you an example in which there are two application rule collections. The new rule is created and added to a specific rule collection while the update (Set-AzureRmFirewall ) still retain all application rule collection’s configuration.

$blacklistCollection = $azFirewall.GetApplicationRuleCollectionByName('blacklist')
$generalwebCollection = $azFirewall.GetApplicationRuleCollectionByName('GeneralWebCollection')

$blrule01 = New-AzureRmFirewallApplicationRule -Name web02 `
                                   -SourceAddress * `
                                   -Protocol Http:80, Https:443 `
                                   -TargetFqdn *.xyz01.com
$blacklistCollection.AddRule($blrule01)
$updatedCollection = @($blacklistCollection, $generalwebCollection)

$azFirewall.ApplicationRuleCollections = $updatedCollection
Set-AzureRmFirewall -AzureFirewall $azFirewall

Similarly, network rule collection can be done using method GetNetworkRuleCollectionByName()  or GetNetworkRuleCollectionByPriority()

Not only add, the following methods are provided to allow you to remove application/network rule collection by name or priority

  • RemoveApplicationRuleCollectionByName()
  • RemoveApplicationRuleCollectionByPriority()
  • RemoveNetworkRuleCollectionByName()
  • RemoveNetworkRuleCollectionByPriority()

Remove existing rule

In some cases you’d need to remove an existing rule to comply with your security policy. With given Azure Firewall cmdlet, you can use GetRuleByName()  and RemoveRuleByName()  in application/network rule collection object.

$blacklistCollection = $azFirewall.GetApplicationRuleCollectionByName('blacklist')
$generalwebCollection = $azFirewall.GetApplicationRuleCollectionByName('GeneralWebCollection')

$blacklistCollection.RemoveRuleByName('web02')

$updatedCollection = @($blacklistCollection, $generalwebCollection)

$azFirewall.ApplicationRuleCollections = $updatedCollection
Set-AzureRmFirewall -AzureFirewall $azFirewall

The above script looks similar to the previous one, with the only change at method.

Creating rules from a Internet list

You may wonder yourself sometime if there is a list of malicious host to add to your Azure Firewall. If that is what you’d be looking for, Malicious Domain List (MDL) is a recommended one for you. MDL provides number of different formats including csv, txt or rss. To complete this article, below is the script I quickly created to read to the malicious host list here then create rules accordingly in Azure Firewall, under an application rule collection with Deny mode.

$fwName = "fw01"
$rgName = 'pentest-rg'
$last_updated = Get-Date -Format yyyyMMddThhmmssZ
$rule_file_path = "D:\Dev\azFirewall\bl"
$cleaned_file_name = "$rule_file_path" + "$last_updated" + ".txt"

$azFirewall = Get-AzureRmFirewall -Name $fwName -ResourceGroupName $rgName
if (!$azFirewall) {
    throw "No target Azure Firewall resource is not found"
}
else {
    Write-Output $azFirewall.Name
}

# Download and process host list
Invoke-WebRequest http://www.malwaredomainlist.com/hostslist/hosts.txt -OutFile $cleaned_file_name
$rawList = Get-Content -path $cleaned_file_name | Select-Object -Skip 6 
$cleanedList = $rawList


# Create multiple rules
$ruleset = @()
Foreach ($hostList in $cleanedList) { 
    $trimmedHost = ($hostList.Trim("127.0.0.1")).Trim()
    ForEach ($blockUrl in $trimmedHost) {
        $ruleset += New-AzureRmFirewallApplicationRule -Name $blockUrl `
            -SourceAddress * `
            -Protocol Http:80, Https:443 `
            -TargetFqdn $blockUrl -Verbose
    }
}

# Create a new application rule collection
$ruleCollection = New-AzureRmFirewallApplicationRuleCollection -Name MDLHost `
    -Priority 300 `
    -Rule $ruleset  `
    -ActionType "Deny"

$azFirewall.ApplicationRuleCollections = $ruleCollection
Set-AzureRmFirewall -AzureFirewall $azFirewall

The total rules from the list is 1131. The limit is 10,000 confirmed publicly by Microsoft.

In the next article we will look into automating rule update with Azure Automation Runbook in order to maintain and update malicious hosts from MDL website into Azure Firewall rule. Stay tuned!

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

1 Response to Azure Firewall (Public Preview) Automation – Part 2

  1. Pingback: Azure Firewall (Public Preview) Automation – Part 3 | All about security on Microsoft Azure

Leave a Reply

Your email address will not be published. Required fields are marked *