Configure deny on threat intel for classic managed Azure Firewalls#
Security · Firewall · Rule · 2020_06 · Critical
Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls.
Description#
Threat intelligence-based filtering can optionally be enabled on Azure Firewall. When enabled, Azure Firewall alerts and deny traffic to/ from known malicious IP addresses and domains.
By default, Azure Firewall alerts on triggered threat intelligence rules.
Specifically, this rule only applies using an Azure Firewall in classic management mode. If the Azure Firewall is connected to a Secured Virtual Hub this rule will not apply.
Classic managed Azure Firewalls are standalone. Alternatively you can manage Azure Firewalls at scale through Firewall Manager by using policy. When using firewall policies, threat intelligence is configured centrally instead of on each firewall.
Recommendation#
Consider configuring Azure Firewall to alert and deny IP addresses and domains detected as malicious. Alternatively, consider using firewall policies to manage Azure Firewalls at scale.
Configure with Azure template#
To deploy Azure Firewalls that pass this rule:
- Set the
properties.threatIntelMode
property toDeny
.
For example:
{
"type": "Microsoft.Network/azureFirewalls",
"apiVersion": "2021-05-01",
"name": "[format('{0}_classic', parameters('name'))]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"name": "AZFW_VNet"
},
"threatIntelMode": "Deny"
}
}
Configure with Bicep#
To deploy Azure Firewalls that pass this rule:
- Set the
properties.threatIntelMode
property toDeny
.
For example:
resource firewall_classic 'Microsoft.Network/azureFirewalls@2021-05-01' = {
name: '${name}_classic'
location: location
properties: {
sku: {
name: 'AZFW_VNet'
}
threatIntelMode: 'Deny'
}
}
Links#
- SE:10 Monitoring and threat detection
- Azure Firewall threat intelligence-based filtering
- Azure network security overview
- Azure deployment reference