Bemærk
Adgang til denne side kræver godkendelse. Du kan prøve at logge på eller ændre mapper.
Adgang til denne side kræver godkendelse. Du kan prøve at ændre mapper.
Azure Policy is a service in Azure that you can use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy evaluates your resources for noncompliance with assigned policies. For example, you can use a policy to allow only a certain size of virtual machines in your environment or to enforce a specific tag on resources.
You can use Azure Policy to govern Azure Firewall configurations by applying policies that define what configurations are allowed or disallowed. This approach helps ensure that the firewall settings are consistent with organizational compliance requirements and security best practices.
Prerequisites
If you don't have an Azure subscription, create a free account before you begin.
Policies available for Azure Firewall
The following policies are available for Azure Firewall:
| Policy | Description |
|---|---|
| Enable Threat Intelligence in Azure Firewall Policy | Marks any Azure Firewall configuration without threat intelligence enabled as noncompliant. |
| Deploy Azure Firewall across Multiple Availability Zones | Restricts Azure Firewall deployment to only allow multiple Availability Zone configurations. |
| Upgrade Azure Firewall Standard to Premium | Recommends upgrading Azure Firewall Standard to Premium to use advanced Premium features and enhance network security. |
| Azure Firewall Policy Analytics should be enabled | Ensures Policy Analytics is enabled on the firewall to effectively tune and optimize firewall rules. |
| Azure Firewall should only allow Encrypted Traffic | Audits firewall policy rules and ports to ensure only encrypted traffic is allowed into the environment. |
| Azure Firewall should have DNS Proxy Enabled | Ensures the DNS proxy feature is enabled on Azure Firewall deployments. |
| Enable IDPS in Azure Firewall Premium Policy | Ensures the IDPS feature is enabled on Azure Firewall deployments to protect against threats and vulnerabilities. |
| Enable TLS inspection on Azure Firewall Policy | Requires TLS inspection to be enabled to detect, alert, and mitigate malicious activity in HTTPS traffic. |
| Enforce Explicit Proxy Configuration for Firewall Policies | Ensures all Azure Firewall policies have explicit proxy configuration enabled by checking for the explicitProxy.enableExplicitProxy field. For the complete policy definition, see Enforce Explicit Proxy Configuration for Firewall Policies. |
| Enable PAC file configuration while using Explicit Proxy on Azure Firewall | Audits firewall policies to ensure that when explicit proxy is enabled (explicitProxy.enableExplicitProxy is true), the PAC file (explicitProxy.enablePacFile) is also enabled. For the complete policy definition, see Enable PAC file configuration while using Explicit Proxy on Azure Firewall. |
| Migrate from Azure Firewall Classic Rules to Firewall Policy | Recommends migrating from Firewall Classic Rules to Firewall Policy. |
| VNET with specific tag must have Azure Firewall Deployed | Checks all virtual networks with a specified tag for an Azure Firewall deployment and flags the configuration as noncompliant if none exists. |
The following steps show how you can create an Azure Policy that enforces all Firewall Policies to have the Threat Intelligence feature enabled (either Alert Only or Alert and deny). Set the Azure Policy scope to the resource group that you create.
Create a resource group
Set this resource group as the scope for the Azure Policy. Create the Firewall Policy in this resource group.
- From the Azure portal, select Create a resource, search for
resource group, and select Resource group from the results. - Select Create, select your subscription, type a name for your resource group, and select a region.
- Select Review + create, and then select Create.
Create an Azure Policy
Now create an Azure Policy in your new resource group. This policy ensures that any firewall policies have Threat Intelligence enabled.
- From the Azure portal, search for
policy, and select Policy from the results. - In the left menu, expand Authoring and select Definitions.
- In the search box, type
firewall, and then select Azure Firewall Policy should enable Threat Intelligence. - Select Assign policy.
- For Scope, select your subscription and your new resource group, and then select Select.
- Select Next.
- On the Parameters pane, clear the Only show parameters that need input or review check box, and then for Effect, select Deny.
- Select Review + create, then select Create.
Create a firewall policy
Now, create a firewall policy with Threat Intelligence disabled.
- From the Azure portal, select Create a resource, search for
firewall policy, and select Firewall Policy from the results. - Select Create, and then select your subscription and the resource group that you created previously.
- In the Name box, type a name for your policy.
- Go to the Threat intelligence tab.
- For Threat intelligence mode, select Disabled.
- Select Review + create.
You see an error that says your resource was disallowed by policy, confirming that your Azure Policy doesn't allow firewall policies that have Threat Intelligence disabled.
Additional Azure Policy definitions
For more Azure Policy definitions specifically designed for Azure Firewall, including policies for explicit proxy configuration, see the Azure Network Security GitHub repository. This repository contains community-contributed policy definitions that you can deploy in your environment.