Threat intelligence-based filtering

Security · Firewall · Rule · 2023_09 · Critical

Deny high confidence malicious IP addresses, domains and URLs.

Description

Threat intelligence-based filtering can optionally be enabled on Azure Firewall, by associating one or more policies with threat intelligence-based filtering configured.

When configured, Azure Firewall alerts and deny traffic to/from known malicious IP addresses, domains and URLs.

By default, threat intelligence-based filtering is enabled and in alert mode on each policy unless otherwise is specified.

By configuring threat intelligence-based filtering in alert and deny mode, threat intelligence-based filtering may deny traffic before any configured rules are processed.

Recommendation

Consider configuring Azure Firewall to alert and deny IP addresses, domains and URLs detected as malicious.

Configure with Azure template

To deploy Azure Firewall polices that pass this rule:

• Set the properties.threatIntelMode property to Deny.

For example:

Azure Template snippet

{
  "type": "Microsoft.Network/firewallPolicies",
  "apiVersion": "2023-04-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "sku": {
      "tier": "Premium"
    },
    "threatIntelMode": "Deny"
  }
}

Configure with Bicep

To deploy Azure Firewall polices that pass this rule:

• Set the properties.threatIntelMode property to Deny.

For example:

Azure Bicep snippet

resource firewallPolicy 'Microsoft.Network/firewallPolicies@2023-04-01' = {
  name: name
  location: location
  properties: {
    sku: {
      tier: 'Premium'
    }
    threatIntelMode: 'Deny'
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/network/firewall-policy:<version>

To use the latest version:

br/public:avm/res/network/firewall-policy:0.2.0

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Notes

Azure Firewall Premium SKU is required for associating standalone resource firewall policies. Only Standard and Premium firewall policies supports threat intelligence-based filtering in alert and deny mode.

In order to take advantage of URL filtering with HTTPS traffic included in threat intelligence-based filtering, TLS inspection must be configured first.

Links

• SE:10 Monitoring and threat detection
• NS-1: Establish network segmentation boundaries
• Azure Firewall threat intelligence-based filtering
• Rule processing logic
• Azure security baseline for Azure Firewall
• Azure network security overview
• Azure deployment reference

Comments