Add new parameter to Azure Firewall (#28114)

Co-authored-by: Bhumika Kaur Matharu <[email protected]>

Author: BhumikaMatharu

src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs

@@ -161,6 +161,14 @@ public void TestAzureFirewallCRUDEnableFatFlowLogging()
             TestRunner.RunTestScript("Test-AzureFirewallCRUDEnableFatFlowLogging");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
+        public void TestAzureFirewallCRUDEnableDnstapLogging()
+        {
+            TestRunner.RunTestScript("Test-AzureFirewallCRUDEnableDnstapLogging");
+        }
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         [Trait(Category.Owner, NrpTeamAlias.azurefirewall)]

src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1

@@ -1923,6 +1923,50 @@ function Test-AzureFirewallCRUDEnableFatFlowLogging {
 }
 <#
 .SYNOPSIS
+Tests AzureFirewall EnableDnstapLogging
+#>
+function Test-AzureFirewallCRUDEnableDnstapLogging {
+    $rgname = Get-ResourceGroupName
+    $azureFirewallName = Get-ResourceName
+    $resourceTypeParent = "Microsoft.Network/AzureFirewalls"
+    $location = Get-ProviderLocation $resourceTypeParent "eastus"
+
+    $vnetName = Get-ResourceName
+    $subnetName = "AzureFirewallSubnet"
+    $publicIpName = Get-ResourceName
+
+    try {
+        # Create the resource group
+        $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location
+
+        # Create the Virtual Network
+        $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 10.0.0.0/24
+        $vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet
+
+        # Create public ip
+        $publicip = New-AzPublicIpAddress -Name $publicIpName -ResourceGroupName $rgname -location $location -AllocationMethod Static -Sku Standard
+
+        # Create AzureFirewall
+        $azureFirewall = New-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname -Location $location -EnableDnstapLogging
+
+        # Verify
+        $azFirewall = Get-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname
+        Assert-AreEqual true $azFirewall.EnableDnstapLogging
+
+        # Reset the EnableDnstapLogging flag
+        $azFirewall.EnableDnstapLogging = $false
+        Set-AzFirewall -AzureFirewall $azFirewall
+        $azfw = Get-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname
+        
+        Assert-AreEqual false $azfw.EnableDnstapLogging
+    }
+    finally {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
+}
+<#
+.SYNOPSIS
 Tests AzureFirewall with Multip IPs on Virtual Hub
 #>
 function Test-AzureFirewallVirtualHubPrivateIPAddress {

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.AzureFirewallTests/TestAzureFirewallCRUDEnableDnstapLogging.json

@@ -219,6 +219,12 @@ public class NewAzureFirewallCommand : AzureFirewallBaseCmdlet
        )]
         public SwitchParameter EnableFatFlowLogging { get; set; }
 
+        [Parameter(
+           Mandatory = false,
+           HelpMessage = "Enable Dnstap Logging. By default it is false."
+       )]
+        public SwitchParameter EnableDnstapLogging { get; set; }
+
         [Parameter(
              Mandatory = false,
              HelpMessage = "Enable UDP Log Optimization. By default it is false."
@@ -332,6 +338,7 @@ private PSAzureFirewall CreateAzureFirewall()
                     HubIPAddresses = this.HubIPAddress,
                     Zones = this.Zone == null ? null : this.Zone.ToList(),
                     EnableFatFlowLogging = (this.EnableFatFlowLogging.IsPresent ? "True" : null),
+                    EnableDnstapLogging = (this.EnableDnstapLogging.IsPresent ? "True" : null),
                     EnableUDPLogOptimization = (this.EnableUDPLogOptimization.IsPresent ? "True" : null)
                 };
 
@@ -359,6 +366,7 @@ private PSAzureFirewall CreateAzureFirewall()
                     AllowActiveFTP = (this.AllowActiveFTP.IsPresent ? "true" : null),
                     Sku = sku,
                     EnableFatFlowLogging = (this.EnableFatFlowLogging.IsPresent ? "True" : null),
+                    EnableDnstapLogging = (this.EnableDnstapLogging.IsPresent ? "True" : null),
                     EnableUDPLogOptimization = (this.EnableUDPLogOptimization.IsPresent ? "True" : null),
                     RouteServerId = this.RouteServerId
                 };

src/Network/Network/AzureFirewall/NewAzureFirewallCommand.cs

@@ -20,6 +20,7 @@
 
 ## Upcoming Release
 * Updated cmdlet `New-AzFirewallPolicyApplicationRule` to use HTTPS as the default protocol when creating a new FQDN Tag application rule.
+* Added `EnableDnstapLogging` parameter to `New-AzFirewall`
 
 ## Version 7.18.0
 * Added a new command which creates an object for CaptureSetting, and added properties 'FileCount', 'FileSizeInBytes', and 'SessionTimeLimitInSeconds', which helps to configure the capture setting for packet capture as well as support for it for the following cmdlets:

src/Network/Network/ChangeLog.md

@@ -1957,6 +1957,7 @@ private static void Initialize()
                             { "Network.DNS.EnableProxy", src.DNSEnableProxy },
                             { "Network.DNS.Servers", src.DNSServer?.Aggregate((result, item) => result + "," + item) },
                             { "Network.AdditionalLogs.EnableFatFlowLogging", src.EnableFatFlowLogging },
+                            { "Network.AdditionalLogs.EnableDnstapLogging", src.EnableDnstapLogging },
                             { "Network.Logging.EnableUDPLogOptimization", src.EnableUDPLogOptimization },
                             { "Network.RouteServerInfo.RouteServerID", src.RouteServerId },
                         }.Where(kvp => kvp.Value != null).ToDictionary(key => key.Key, val => val.Value);   // TODO: remove after backend code is refactored
@@ -2040,6 +2041,7 @@ private static void Initialize()
                     dest.AllowActiveFTP = src.AdditionalProperties?.SingleOrDefault(kvp => kvp.Key.Equals("Network.FTP.AllowActiveFTP", StringComparison.OrdinalIgnoreCase)).Value;
                     dest.DNSEnableProxy = src.AdditionalProperties?.SingleOrDefault(kvp => kvp.Key.Equals("Network.DNS.EnableProxy", StringComparison.OrdinalIgnoreCase)).Value;
                     dest.EnableFatFlowLogging = src.AdditionalProperties?.SingleOrDefault(kvp => kvp.Key.Equals("Network.AdditionalLogs.EnableFatFlowLogging", StringComparison.OrdinalIgnoreCase)).Value;
+                    dest.EnableDnstapLogging = src.AdditionalProperties?.SingleOrDefault(kvp => kvp.Key.Equals("Network.AdditionalLogs.EnableDnstapLogging", StringComparison.OrdinalIgnoreCase)).Value;
                     dest.EnableUDPLogOptimization = src.AdditionalProperties?.SingleOrDefault(kvp => kvp.Key.Equals("Network.Logging.EnableUDPLogOptimization", StringComparison.OrdinalIgnoreCase)).Value;
                     dest.RouteServerId = src.AdditionalProperties?.SingleOrDefault(kvp => kvp.Key.Equals("Network.RouteServerInfo.RouteServerID", StringComparison.OrdinalIgnoreCase)).Value;
                     try

src/Network/Network/Common/NetworkResourceManagerProfile.cs

@@ -87,6 +87,8 @@ public string[] PrivateRange
 
         public string EnableFatFlowLogging { get; set; }
 
+        public string EnableDnstapLogging { get; set; }
+
         public string EnableUDPLogOptimization { get; set; }
 
         public string RouteServerId { get; set; }

src/Network/Network/Models/AzureFirewall/PSAzureFirewall.cs

@@ -23,7 +23,7 @@ New-AzFirewall -Name <String> -ResourceGroupName <String> -Location <String>
  [-ThreatIntelWhitelist <PSAzureFirewallThreatIntelWhitelist>] [-PrivateRange <String[]>] [-EnableDnsProxy]
  [-DnsServer <String[]>] [-Tag <Hashtable>] [-Force] [-AsJob] [-Zone <String[]>] [-SkuName <String>]
  [-SkuTier <String>] [-VirtualHubId <String>] [-HubIPAddress <PSAzureFirewallHubIpAddresses>]
- [-FirewallPolicyId <String>] [-AllowActiveFTP] [-EnableFatFlowLogging] [-EnableUDPLogOptimization]
+ [-FirewallPolicyId <String>] [-AllowActiveFTP] [-EnableFatFlowLogging] [-EnableDnstapLogging] [-EnableUDPLogOptimization]
  [-RouteServerId <String>] [-MinCapacity <Int32>] [-MaxCapacity <Int32>]
  [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
@@ -39,7 +39,7 @@ New-AzFirewall -Name <String> -ResourceGroupName <String> -Location <String> -Vi
  [-ThreatIntelWhitelist <PSAzureFirewallThreatIntelWhitelist>] [-PrivateRange <String[]>] [-EnableDnsProxy]
  [-DnsServer <String[]>] [-Tag <Hashtable>] [-Force] [-AsJob] [-Zone <String[]>] [-SkuName <String>]
  [-SkuTier <String>] [-VirtualHubId <String>] [-HubIPAddress <PSAzureFirewallHubIpAddresses>]
- [-FirewallPolicyId <String>] [-AllowActiveFTP] [-EnableFatFlowLogging] [-EnableUDPLogOptimization]
+ [-FirewallPolicyId <String>] [-AllowActiveFTP] [-EnableFatFlowLogging] [-EnableDnstapLogging] [-EnableUDPLogOptimization]
  [-RouteServerId <String>] [-MinCapacity <Int32>] [-MaxCapacity <Int32>]
  [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
@@ -55,7 +55,7 @@ New-AzFirewall -Name <String> -ResourceGroupName <String> -Location <String> -Vi
  [-ThreatIntelWhitelist <PSAzureFirewallThreatIntelWhitelist>] [-PrivateRange <String[]>] [-EnableDnsProxy]
  [-DnsServer <String[]>] [-Tag <Hashtable>] [-Force] [-AsJob] [-Zone <String[]>] [-SkuName <String>]
  [-SkuTier <String>] [-VirtualHubId <String>] [-HubIPAddress <PSAzureFirewallHubIpAddresses>]
- [-FirewallPolicyId <String>] [-AllowActiveFTP] [-EnableFatFlowLogging] [-EnableUDPLogOptimization]
+ [-FirewallPolicyId <String>] [-AllowActiveFTP] [-EnableFatFlowLogging] [-EnableDnstapLogging] [-EnableUDPLogOptimization]
  [-RouteServerId <String>] [-MinCapacity <Int32>] [-MaxCapacity <Int32>]
  [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
@@ -381,6 +381,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -EnableDnstapLogging
+Enable Dnstap Logging. By default it is false.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -EnableUDPLogOptimization
 Enable UDP Log Optimization. By default it is false.
 

src/Network/Network/help/New-AzFirewall.md

@@ -250,6 +250,55 @@ If user wants to start the service again but with Availability Zones, the Zones
 The new VNet and Public IP must be in the same resource group as the Firewall. Again, for changes to be reflected in cloud,
 Set-AzFirewall must be called.
 
+### Example 16:	Enable Dnstap Logging on Azure Firewall
+```powershell
+$azFw = Get-AzFirewall -Name "ps184" -ResourceGroupName "ps774"
+$azFw.EnableDnstapLogging = $true
+
+$azFw | Set-AzFirewall
+```
+
+```output
+AllowActiveFTP	                : null	
+		ApplicationRuleCollections	    : Count = 0	
+		ApplicationRuleCollectionsText	: "[]"	
+		DNSEnableProxy	                : null	
+		DNSServer	                    : null	
+		DNSServersText	                : "null"	
+		Etag	                        : "W/\"7533fa1b-8588-400d-857c-6bc372e14f1b\""
+		FirewallPolicy	                : null	
+		HubIPAddresses	                : null	
+		Id	                            : "/subscriptions/aeb5b02a-0f18-45a4-86d6-81808115cacf/resourceGroups/ps774/providers/Microsoft.Network/azureFirewalls/ps184"	
+		EnableDnstapLogging	            : "true"	
+		IpConfigurations	            : Count = 0	
+		IpConfigurationsText	        : "[]"	
+		Location	                    : "eastus"	
+		ManagementIpConfiguration	    : null	
+		ManagementIpConfigurationText	: "null"	
+		Name	                        : "ps184"	
+		NatRuleCollections	            : Count = 0	
+		NatRuleCollectionsText	        : "[]"	
+		NetworkRuleCollections	        : Count = 0	
+		NetworkRuleCollectionsText	    : "[]"	
+		PrivateRange	                : null	
+		PrivateRangeText	            : "null"	
+		ProvisioningState	            : "Succeeded"	
+		ResourceGroupName	            : "ps774"	
+		ResourceGuid	                : null	
+		Sku	                            : {Microsoft.Azure.Commands.Network.Models.PSAzureFirewallSku}	
+		Tag	                            : null	
+		TagsTable	                    : null	
+		ThreatIntelMode	                : "Alert"	
+		ThreatIntelWhitelist	        : {Microsoft.Azure.Commands.Network.Models.PSAzureFirewallThreatIntelWhitelist}	
+		ThreatIntelWhitelistText	    : "{\r\n  \"FQDNs\": null,\r\n  \"IpAddresses\": null\r\n}"	
+		Type	                        : "Microsoft.Network/azureFirewalls"	
+		VirtualHub	                    : null	
+		Zones	                        : Count = 0	
+		privateRange	                : null
+```
+
+In this example, Enable Dnstap Logging is enabled on the Firewall.
+
 ## PARAMETERS
 
 ### -AsJob