The previous article gave you all available cmdlets used to create and manage Azure Firewall (Public Preview) resources along with its configuration (application and network rule).
In this article, we will look into a bit more advanced script specifically focused on working with Azure Firewall configurations.
Create multiple application rules
The previous article gave you the way to create a single rule and associate to the application rule collection. In a real-world case, you may want to create multiple rules at the same time and associate to a new or an existing application rule collection. To do so, you simply need to create a list object, then have multiple rules added to the list. See the example:
$youTubeRule = New-AzureRmFirewallApplicationRule -Name YouTube ` -SourceAddress * ` -Protocol Http:80, Https:443 ` -TargetFqdn *.youtube.com $googleRule = New-AzureRmFirewallApplicationRule -Name Google ` -SourceAddress * ` -Protocol Http:80, Https:443 ` -TargetFqdn *.google.com $facebookRule = New-AzureRmFirewallApplicationRule -Name Facebook ` -SourceAddress * ` -Protocol Http:80, Https:443 ` -TargetFqdn *.facebook.com $ruleSet = @($youTubeRule, $googleRule, $facebookRule) $generalWebCollection = New-AzureRmFirewallApplicationRuleCollection -Name GeneralWebCollection ` -Priority 400 ` -Rule $ruleSet ` -ActionType "Allow" $azFirewall.ApplicationRuleCollections = $generalWebCollection Set-AzureRmFirewall -AzureFirewall $azFirewall
Add a rule to the existing application rule collection
In a daily basis of security operation, you’d need to add a new application rule to the existing rule collection without making any impact on the existing configuration. To achieve this, you can use AddRule() method in application rule collection object. The following script shows you the way to add a new rule to the existing rule collection:
$microsoftRule = New-AzureRmFirewallApplicationRule -Name Microsoft ` -SourceAddress * ` -Protocol Http:80, Https:443 ` -TargetFqdn *.microsoft.com $existingRuleCollection = $azFirewall.ApplicationRuleCollections $existingRuleCollection.AddRule($microsoftRule) Set-AzureRmFirewall -AzureFirewall $azFirewall
If you have more than one rule collection, you must retrieve existing rule collection of all, then add your rule correspondingly. Unless the new rule collection will overwrite to the existing one. There are two methods to get application rule collection:
- GetApplicationRuleCollectionByName() : allows you to retrieve specific application rule collection by name
- GetApplicationRuleCollectionByPriority() : allows you to retrieve specific application rule collection by pirority
The sample script gives you an example in which there are two application rule collections. The new rule is created and added to a specific rule collection while the update (Set-AzureRmFirewall ) still retain all application rule collection’s configuration.
$blacklistCollection = $azFirewall.GetApplicationRuleCollectionByName('blacklist') $generalwebCollection = $azFirewall.GetApplicationRuleCollectionByName('GeneralWebCollection') $blrule01 = New-AzureRmFirewallApplicationRule -Name web02 ` -SourceAddress * ` -Protocol Http:80, Https:443 ` -TargetFqdn *.xyz01.com $blacklistCollection.AddRule($blrule01) $updatedCollection = @($blacklistCollection, $generalwebCollection) $azFirewall.ApplicationRuleCollections = $updatedCollection Set-AzureRmFirewall -AzureFirewall $azFirewall
Similarly, network rule collection can be done using method GetNetworkRuleCollectionByName() or GetNetworkRuleCollectionByPriority()
Not only add, the following methods are provided to allow you to remove application/network rule collection by name or priority
- RemoveApplicationRuleCollectionByName()
- RemoveApplicationRuleCollectionByPriority()
- RemoveNetworkRuleCollectionByName()
- RemoveNetworkRuleCollectionByPriority()
Remove existing rule
In some cases you’d need to remove an existing rule to comply with your security policy. With given Azure Firewall cmdlet, you can use GetRuleByName() and RemoveRuleByName() in application/network rule collection object.
$blacklistCollection = $azFirewall.GetApplicationRuleCollectionByName('blacklist') $generalwebCollection = $azFirewall.GetApplicationRuleCollectionByName('GeneralWebCollection') $blacklistCollection.RemoveRuleByName('web02') $updatedCollection = @($blacklistCollection, $generalwebCollection) $azFirewall.ApplicationRuleCollections = $updatedCollection Set-AzureRmFirewall -AzureFirewall $azFirewall
The above script looks similar to the previous one, with the only change at method.
Creating rules from a Internet list
You may wonder yourself sometime if there is a list of malicious host to add to your Azure Firewall. If that is what you’d be looking for, Malicious Domain List (MDL) is a recommended one for you. MDL provides number of different formats including csv, txt or rss. To complete this article, below is the script I quickly created to read to the malicious host list here then create rules accordingly in Azure Firewall, under an application rule collection with Deny mode.
$fwName = "fw01" $rgName = 'pentest-rg' $last_updated = Get-Date -Format yyyyMMddThhmmssZ $rule_file_path = "D:\Dev\azFirewall\bl" $cleaned_file_name = "$rule_file_path" + "$last_updated" + ".txt" $azFirewall = Get-AzureRmFirewall -Name $fwName -ResourceGroupName $rgName if (!$azFirewall) { throw "No target Azure Firewall resource is not found" } else { Write-Output $azFirewall.Name } # Download and process host list Invoke-WebRequest http://www.malwaredomainlist.com/hostslist/hosts.txt -OutFile $cleaned_file_name $rawList = Get-Content -path $cleaned_file_name | Select-Object -Skip 6 $cleanedList = $rawList # Create multiple rules $ruleset = @() Foreach ($hostList in $cleanedList) { $trimmedHost = ($hostList.Trim("127.0.0.1")).Trim() ForEach ($blockUrl in $trimmedHost) { $ruleset += New-AzureRmFirewallApplicationRule -Name $blockUrl ` -SourceAddress * ` -Protocol Http:80, Https:443 ` -TargetFqdn $blockUrl -Verbose } } # Create a new application rule collection $ruleCollection = New-AzureRmFirewallApplicationRuleCollection -Name MDLHost ` -Priority 300 ` -Rule $ruleset ` -ActionType "Deny" $azFirewall.ApplicationRuleCollections = $ruleCollection Set-AzureRmFirewall -AzureFirewall $azFirewall
The total rules from the list is 1131. The limit is 10,000 confirmed publicly by Microsoft.
In the next article we will look into automating rule update with Azure Automation Runbook in order to maintain and update malicious hosts from MDL website into Azure Firewall rule. Stay tuned!
Pingback: Azure Firewall (Public Preview) Automation – Part 3 | All about security on Microsoft Azure