You may already know Azure Firewall, the managed, cloud-based network security solution protecting your Azure virtual network resources.
Well, good news, you can now have a central configuration and management point for Azure Firewall, called Azure Firewall Manager, to help you manage your cloud-based security perimeters.
Azure Firewall Manager works with Azure Virtual WAN Hub (see https://docs.microsoft.com/en-in/azure/virtual-wan/virtual-wan-about#resources to know more about it).
With Azure Firewall Manager you can deploy and manage from a central point multiple Azure Firewall instances across different Azure regions, while being able to integrate with third-party services (like zScaler).
During the public preview, Azure Firewall Manager is available in the following regions:
- West Europe
- North Europe
- France Central
- France South
- UK South
- UK West
- Australia East
- Australia Central
- Australia Central 2
- Australia Southeast
- Canada Central
- East US
- West US
- East US 2
- South Central US
- West US 2
- Central US
- North Central US
- West Central US
To start using it, you must first register the required network provider using the below command (here I’m using the Cloud Shell so I don’t need to connect to Azure first 
)
Register-AzProviderFeature -FeatureName AllowCortexSecurity -ProviderNamespace Microsoft.Network
It may take up to 30 minutes to get it registered.
If you have multiple subscription you want to get it register you will need to switch the subscription and run the above command again
Set-AzureRmContext –SubscriptionId <your subscription id>
Once registered, you can then create a new Azure Firewall Manager by searching for Azure Firewall Manager
From there you can create:
- New Azure Firewall Policies
- New Secured Virtual Hub
- Convert existing Hubs
You can migrate your existing Azure Firewall configurations to Azure Firewall policies using the below script
$FirewallName = “<your Azure Firewall name>”
$ResourceGroupName = “<your resource group where the Azure Firewall is hosted”
$PolicyName = “<your Azure Policy Name>”
$Location = “<the Azure region>”$DefaultAppRuleCollectionGroupName = “ApplicationRuleCollectionGroup”
$DefaultNetRuleCollectionGroupName = “NetworkRuleCollectionGroup”
$DefaultNatRuleCollectionGroupName = “NatRuleCollectionGroup”
$ApplicationRuleGroupPriority = 300
$NetworkRuleGroupPriority = 200
$NatRuleGroupPriority = 100#Helper functions for translating ApplicationProtocol and ApplicationRule
Function GetApplicationProtocolsString
{
Param([Object[]] $Protocols)
$output = “”
ForEach ($protocol in $Protocols) {
$output += $protocol.ProtocolType + “:” + $protocol.Port + “,”
}
return $output.Substring(0, $output.Length – 1)
}Function GetApplicationRuleCmd
{
Param([Object] $ApplicationRule)
$cmd = “New-AzFirewallPolicyApplicationRule”
$cmd = $cmd + ” -Name ” + $ApplicationRule.Name
$cmd = $cmd + ” -SourceAddress ” + $ApplicationRule.SourceAddresses
if ($ApplicationRule.Description) {
$cmd = $cmd + ” -Description ” + $ApplicationRule.Description
}
if ($ApplicationRule.TargetFqdns) {
$protocols = GetApplicationProtocolsString($ApplicationRule.Protocols)
$cmd = $cmd + ” -Protocol ” + $protocols
$cmd = $cmd + ” -TargetFqdn ” + $ApplicationRule.TargetFqdns
}
if ($ApplicationRule.FqdnTags) {
$cmd = $cmd + ” -FqdnTag ” + $ApplicationRule.FqdnTags
}
return $cmd
}$azfw = Get-AzFirewall -Name $FirewallName -ResourceGroupName $ResourceGroupName
Write-Host “creating empty firewall policy”
$fwp = New-AzFirewallPolicy -Name $PolicyName -ResourceGroupName $ResourceGroupName -Location $Location -ThreatIntelMode $azfw.ThreatIntelMode
Write-Host $fwp.Name “created”
Write-Host “creating ” $azfw.ApplicationRuleCollections.Count ” application rule collections”#Translate ApplicationRuleCollection
If ($azfw.ApplicationRuleCollections.Count -gt 0) {
$firewallPolicyAppRuleCollections = @()
ForEach ($appRc in $azfw.ApplicationRuleCollections) {
If ($appRc.Rules.Count -gt 0) {
Write-Host “creating ” $appRc.Rules.Count ” application rules for collection ” $appRc.Name
$firewallPolicyAppRules = @()
ForEach ($appRule in $appRc.Rules) {
$cmd = GetApplicationRuleCmd($appRule)
$firewallPolicyAppRule = Invoke-Expression $cmd
Write-Host “Created appRule ” $firewallPolicyAppRule.Name
$firewallPolicyAppRules += $firewallPolicyAppRule
}
$fwpAppRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $appRC.Name -Priority $appRC.Priority -ActionType $appRC.Action.Type -Rule $firewallPolicyAppRules
Write-Host “Created appRuleCollection ” $fwpAppRuleCollection.Name
}
$firewallPolicyAppRuleCollections += $fwpAppRuleCollection
}
$appRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultAppRuleCollectionGroupName -Priority $ApplicationRuleGroupPriority -RuleCollection $firewallPolicyAppRuleCollections -FirewallPolicyObject $fwp
Write-Host “Created ApplicationRuleCollectionGroup ” $appRuleGroup.Name
}#Translate NetworkRuleCollection
Write-Host “creating ” $azfw.NetworkRuleCollections.Count ” network rule collections”
If ($azfw.NetworkRuleCollections.Count -gt 0) {
$firewallPolicyNetRuleCollections = @()
ForEach ($rc in $azfw.NetworkRuleCollections) {
If ($rc.Rules.Count -gt 0) {
Write-Host “creating ” $rc.Rules.Count ” network rules for collection ” $rc.Name
$firewallPolicyNetRules = @()
ForEach ($rule in $rc.Rules) {
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
Write-Host “Created network rule ” $firewallPolicyNetRule.Name
$firewallPolicyNetRules += $firewallPolicyNetRule
}
$fwpNetRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $rc.Name -Priority $rc.Priority -ActionType $rc.Action.Type -Rule $firewallPolicyNetRules
Write-Host “Created NetworkRuleCollection ” $fwpNetRuleCollection.Name
}
$firewallPolicyNetRuleCollections += $fwpNetRuleCollection
}
$netRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNetRuleCollectionGroupName -Priority $NetworkRuleGroupPriority -RuleCollection $firewallPolicyNetRuleCollections -FirewallPolicyObject $fwp
Write-Host “Created NetworkRuleCollectionGroup ” $netRuleGroup.Name
}#Translate NatRuleCollection
# Hierarchy for NAT rule collection is different for AZFW and FirewallPOlicy. In AZFW you can have a NatRuleCollection with multiple NatRules
# where each NatRule will have its own set of source , dest, tranlated IPs and ports.
# In FirewallPolicy a NatRuleCollection has a a set of rules which has one condition (source and dest IPs and Ports) and the translated IP and ports
# as part of NatRuleCollection.
# So when translating NAT rules we will have to create separate ruleCollection for each rule in AZFW and every ruleCollection will have only 1 rule.Write-Host “creating ” $azfw.NatRuleCollections.Count ” network rule collections”
If ($azfw.NatRuleCollections.Count -gt 0) {
$firewallPolicyNatRuleCollections = @()
$priority = 100
ForEach ($rc in $azfw.NatRuleCollections) {
If ($rc.Rules.Count -gt 0) {
Write-Host “creating ” $rc.Rules.Count ” nat rules for collection ” $rc.Name
ForEach ($rule in $rc.Rules) {
$firewallPolicyNatRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
Write-Host “Created nat rule ” $firewallPolicyNatRule.Name
$natRuleCollectionName = $rc.Name+$rule.Name
$fwpNatRuleCollection = New-AzFirewallPolicyNatRuleCollection -Name $natRuleCollectionName -Priority $priority -ActionType $rc.Action.Type -Rule $firewallPolicyNatRule -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort
$priority += 1
Write-Host “Created NatRuleCollection ” $fwpNatRuleCollection.Name
$firewallPolicyNatRuleCollections += $fwpNatRuleCollection
}
}
}
$natRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNatRuleCollectionGroupName -Priority $NatRuleGroupPriority -RuleCollection $firewallPolicyNatRuleCollections -FirewallPolicyObject $fwp
Write-Host “Created NatRuleCollectionGroup ” $natRuleGroup.Name
}