Azure Firewall (Public Preview) Automation – Part 2

The previous article gave you all available cmdlets used to create and manage Azure Firewall (Public Preview) resources along with its configuration (application and network rule).

In this article, we will look into a bit more advanced script specifically focused on working with Azure Firewall configurations.

Create multiple application rules

The previous article gave you the way to create a single rule and associate to the application rule collection. In a real-world case, you may want to create multiple rules at the same time and associate to a new or an existing application rule collection. To do so, you simply need to create a list object, then have multiple rules added to the list. See the example:

Add a rule to the existing application rule collection

In a daily basis of security operation, you’d need to add a new application rule to the existing rule collection without making any impact on the existing configuration. To achieve this, you can use AddRule() method in application rule collection object. The following script shows you the way to add a new rule to the existing rule collection:

If you have more than one rule collection, you must retrieve existing rule collection of all, then add your rule correspondingly. Unless the new rule collection will overwrite to the existing one. There are two methods to get application rule collection:

  • GetApplicationRuleCollectionByName() : allows you to retrieve specific application rule collection by name
  • GetApplicationRuleCollectionByPriority() : allows you to retrieve specific application rule collection by pirority

The sample script gives you an example in which there are two application rule collections. The new rule is created and added to a specific rule collection while the update ( Set-AzureRmFirewall ) still retain all application rule collection’s configuration.

Similarly, network rule collection can be done using method GetNetworkRuleCollectionByName()  or GetNetworkRuleCollectionByPriority()

Not only add, the following methods are provided to allow you to remove application/network rule collection by name or priority

  • RemoveApplicationRuleCollectionByName()
  • RemoveApplicationRuleCollectionByPriority()
  • RemoveNetworkRuleCollectionByName()
  • RemoveNetworkRuleCollectionByPriority()

Remove existing rule

In some cases you’d need to remove an existing rule to comply with your security policy. With given Azure Firewall cmdlet, you can use GetRuleByName()  and RemoveRuleByName()  in application/network rule collection object.

The above script looks similar to the previous one, with the only change at method.

Creating rules from a Internet list

You may wonder yourself sometime if there is a list of malicious host to add to your Azure Firewall. If that is what you’d be looking for, Malicious Domain List (MDL) is a recommended one for you. MDL provides number of different formats including csv, txt or rss. To complete this article, below is the script I quickly created to read to the malicious host list here then create rules accordingly in Azure Firewall, under an application rule collection with Deny mode.

The total rules from the list is 1131. The limit is 10,000 confirmed publicly by Microsoft.

In the next article we will look into automating rule update with Azure Automation Runbook in order to maintain and update malicious hosts from MDL website into Azure Firewall rule. Stay tuned!


Leave a Reply

© 2018 The Soldier of Fortune.