bugs fix in migrate-to-policy script

NiviShenker · web-flow · commit 3ff3d0a7494a · 2022-09-14T10:29:56.000+03:00
Made the following changes:

NAT rules now support IP groups source
Invalid character (') handling
diff --git a/articles/firewall-manager/migrate-to-policy.md b/articles/firewall-manager/migrate-to-policy.md
@@ -31,14 +31,7 @@ $FirewallName = "azfw"
 $FirewallPolicyResourceGroup = "AzFWPolicyRG"
 $FirewallPolicyName = "fwpolicy"
 $FirewallPolicyLocation = "WestEurope"
-
-$DefaultAppRuleCollectionGroupName = "ApplicationRuleCollectionGroup"
-$DefaultNetRuleCollectionGroupName = "NetworkRuleCollectionGroup"
-$DefaultNatRuleCollectionGroupName = "NatRuleCollectionGroup"
-$ApplicationRuleGroupPriority = 300
-$NetworkRuleGroupPriority = 200
-$NatRuleGroupPriority = 100
-
+	@@ -43,141 +44,186 @@ $InvalidCharsPattern = "[']"
 #Helper functions for translating ApplicationProtocol and ApplicationRule
 Function GetApplicationProtocolsString
 {
@@ -50,14 +43,12 @@ Function GetApplicationProtocolsString
   }
   return $output.Substring(0, $output.Length - 1)
 }
-
 Function GetApplicationRuleCmd
 {
   Param([Object] $ApplicationRule)
-
   $cmd = "New-AzFirewallPolicyApplicationRule"
-  $cmd = $cmd + " -Name " + "'" + $($ApplicationRule.Name) + "'"
-
+  $parsedName = ParseRuleName($ApplicationRule.Name)
+  $cmd = $cmd + " -Name " + "'" + $parsedName + "'"
   if ($ApplicationRule.SourceAddresses)
   {
     $ApplicationRule.SourceAddresses = $ApplicationRule.SourceAddresses -join ","
@@ -68,7 +59,6 @@ Function GetApplicationRuleCmd
     $ApplicationRule.SourceIpGroups = $ApplicationRule.SourceIpGroups -join ","
     $cmd = $cmd + " -SourceIpGroup " + $ApplicationRule.SourceIpGroups
   }
-
   if ($ApplicationRule.Description)
  {
     $cmd = $cmd + " -Description " + "'" + $ApplicationRule.Description + "'"
@@ -77,32 +67,40 @@ Function GetApplicationRuleCmd
   {
     $protocols = GetApplicationProtocolsString($ApplicationRule.Protocols)
     $cmd = $cmd + " -Protocol " + $protocols
-
     $AppRule = $($ApplicationRule.TargetFqdns) -join ","
     $cmd = $cmd + " -TargetFqdn " + $AppRule
-
   }
   if ($ApplicationRule.FqdnTags)
   {
     $cmd = $cmd + " -FqdnTag " + "'" + $ApplicationRule.FqdnTags + "'"
   }
-
   return $cmd
 }
-
+Function ParseRuleName
+{
+	Param([Object] $RuleName)
+	if ($RuleName -match $InvalidCharsPattern) {
+		$newRuleName = $RuleName -split $InvalidCharsPattern -join ""
+		Write-Host "Rule $RuleName contains an invalid character. Invalid characters have been removed, rule new name is $newRuleName. " -ForegroundColor Cyan
+		return $newRuleName 
+	}
+	return $RuleName
+}
 If (!(Get-AzResourceGroup -Name $FirewallPolicyResourceGroup))
 {
   New-AzResourceGroup -Name $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation
 }
-
 $azfw = Get-AzFirewall -Name $FirewallName -ResourceGroupName $FirewallResourceGroup
-
 Write-Host "creating empty firewall policy"
-$fwDnsSetting = New-AzFirewallPolicyDnsSetting -EnableProxy
-$fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode -DnsSetting $fwDnsSetting -Force
+if ($azfw.DNSEnableProxy) {
+  $fwDnsSetting = New-AzFirewallPolicyDnsSetting -EnableProxy
+  $fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode -DnsSetting $fwDnsSetting -Force
+}
+else {
+  $fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode
+}
 Write-Host $fwp.Name "created"
 Write-Host "creating " $azfw.ApplicationRuleCollections.Count " application rule collections"
-
 #Translate ApplicationRuleCollection
 If ($azfw.ApplicationRuleCollections.Count -gt 0)
 {
@@ -128,7 +126,6 @@ If ($azfw.ApplicationRuleCollections.Count -gt 0)
   $appRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultAppRuleCollectionGroupName -Priority $ApplicationRuleGroupPriority -RuleCollection $firewallPolicyAppRuleCollections -FirewallPolicyObject $fwp
   Write-Host "Created ApplicationRuleCollectionGroup "  $appRuleGroup.Name
 }
-
 #Translate NetworkRuleCollection
 Write-Host "creating " $azfw.NetworkRuleCollections.Count " network rule collections"
 If ($azfw.NetworkRuleCollections.Count -gt 0)
@@ -142,34 +139,35 @@ If ($azfw.NetworkRuleCollections.Count -gt 0)
       $firewallPolicyNetRules = @()
       ForEach ($rule in $rc.Rules)
       {
+        $parsedName = ParseRuleName($rule.Name)
         If ($rule.SourceAddresses)
         {
           If ($rule.DestinationAddresses)
           {
-            $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
+            $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
           }
           elseif ($rule.DestinationIpGroups)
           {
-            $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
+            $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
           }
           elseif ($rule.DestinationFqdns)
           {
-            $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
+            $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
           }
         }
         elseif ($rule.SourceIpGroups)
         {
           If ($rule.DestinationAddresses)
           {
-            $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
+            $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
           }
           elseif ($rule.DestinationIpGroups)
           {
-            $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
+            $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
           }
           elseif ($rule.DestinationFqdns)
           {
-            $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
+            $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
           }
         }
         Write-Host "Created network rule " $firewallPolicyNetRule.Name
@@ -183,15 +181,13 @@ If ($azfw.NetworkRuleCollections.Count -gt 0)
   $netRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNetRuleCollectionGroupName -Priority $NetworkRuleGroupPriority -RuleCollection $firewallPolicyNetRuleCollections -FirewallPolicyObject $fwp
   Write-Host "Created NetworkRuleCollectionGroup "  $netRuleGroup.Name
 }
-
 #Translate NatRuleCollection
 # Hierarchy for NAT rule collection is different for AZFW and FirewallPolicy. In AZFW you can have a NatRuleCollection with multiple NatRules
 # where each NatRule will have its own set of source , dest, translated IPs and ports.
 # In FirewallPolicy a NatRuleCollection has a a set of rules which has one condition (source and dest IPs and Ports) and the translated IP and ports
 # as part of NatRuleCollection.
 # So when translating NAT rules we will have to create separate ruleCollection for each rule in AZFW and every ruleCollection will have only 1 rule.
-
-Write-Host "creating " $azfw.NatRuleCollections.Count " network rule collections"
+Write-Host "creating " $azfw.NatRuleCollections.Count " NAT rule collections"
 If ($azfw.NatRuleCollections.Count -gt 0)
 {
   $firewallPolicyNatRuleCollections = @()
@@ -202,23 +198,30 @@ If ($azfw.NatRuleCollections.Count -gt 0)
     If ($rc.Rules.Count -gt 0)
     {
       Write-Host "creating " $rc.Rules.Count " nat rules for collection "  $rc.Name
-      ForEach ($rule in $rc.Rules)
-      {
-        $firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
-        Write-Host "Created nat rule " $firewallPolicyNatRule.Name
+      
+      ForEach ($rule in $rc.Rules) 
+			{
+				$parsedName = ParseRuleName($rule.Name)
+				If ($rule.SourceAddresses)
+	@@ -188,18 +234,19 @@ If ($azfw.NatRuleCollections.Count -gt 0) {
+				{
+					$firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $parsedName -SourceIpGroup  $rule.SourceIpGroups -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
+				}
+				Write-Host "Created NAT rule: " $firewallPolicyNatRule.Name
         $firewallPolicyNatRules += $firewallPolicyNatRule
       }
-      $natRuleCollectionName = $rc.Name + $rule.Name
+      
+      $natRuleCollectionName = $rc.Name
       $fwpNatRuleCollection = New-AzFirewallPolicyNatRuleCollection -Name $natRuleCollectionName -Priority $priority -ActionType $rc.Action.Type -Rule $firewallPolicyNatRules
       $priority += 1
-      Write-Host "Created NatRuleCollection "  $fwpNatRuleCollection.Name
+      Write-Host "Created NAT RuleCollection "  $fwpNatRuleCollection.Name
       $firewallPolicyNatRuleCollections += $fwpNatRuleCollection
     }
   }
   $natRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNatRuleCollectionGroupName -Priority $NatRuleGroupPriority -RuleCollection $firewallPolicyNatRuleCollections -FirewallPolicyObject $fwp
-  Write-Host "Created NatRuleCollectionGroup "  $natRuleGroup.Name
+  Write-Host "Created NAT RuleCollectionGroup "  $natRuleGroup.Name
 }
 ```
 ## Next steps
 
-Learn more about Azure Firewall Manager deployment: [Azure Firewall Manager deployment overview](deployment-overview.md).
+Learn more about Azure Firewall Manager deployment: [Azure Firewall Manager deployment overview](deployment-overview.md).

Original file line number	Diff line number	Diff line change
`@@ -31,14 +31,7 @@ $FirewallName = "azfw"`
`31`	`31`	`$FirewallPolicyResourceGroup = "AzFWPolicyRG"`
`32`	`32`	`$FirewallPolicyName = "fwpolicy"`
`33`	`33`	`$FirewallPolicyLocation = "WestEurope"`
`34`		`-`
`35`		`-$DefaultAppRuleCollectionGroupName = "ApplicationRuleCollectionGroup"`
`36`		`-$DefaultNetRuleCollectionGroupName = "NetworkRuleCollectionGroup"`
`37`		`-$DefaultNatRuleCollectionGroupName = "NatRuleCollectionGroup"`
`38`		`-$ApplicationRuleGroupPriority = 300`
`39`		`-$NetworkRuleGroupPriority = 200`
`40`		`-$NatRuleGroupPriority = 100`
`41`		`-`
	`34`	`+ @@ -43,141 +44,186 @@ $InvalidCharsPattern = "[']"`
`42`	`35`	`#Helper functions for translating ApplicationProtocol and ApplicationRule`
`43`	`36`	`Function GetApplicationProtocolsString`
`44`	`37`	`{`
`@@ -50,14 +43,12 @@ Function GetApplicationProtocolsString`
`50`	`43`	`}`
`51`	`44`	`return $output.Substring(0, $output.Length - 1)`
`52`	`45`	`}`
`53`		`-`
`54`	`46`	`Function GetApplicationRuleCmd`
`55`	`47`	`{`
`56`	`48`	`Param([Object] $ApplicationRule)`
`57`		`-`
`58`	`49`	`$cmd = "New-AzFirewallPolicyApplicationRule"`
`59`		`- $cmd = $cmd + " -Name " + "'" + $($ApplicationRule.Name) + "'"`
`60`		`-`
	`50`	`+ $parsedName = ParseRuleName($ApplicationRule.Name)`
	`51`	`+ $cmd = $cmd + " -Name " + "'" + $parsedName + "'"`
`61`	`52`	`if ($ApplicationRule.SourceAddresses)`
`62`	`53`	`{`
`63`	`54`	`$ApplicationRule.SourceAddresses = $ApplicationRule.SourceAddresses -join ","`
`@@ -68,7 +59,6 @@ Function GetApplicationRuleCmd`
`68`	`59`	`$ApplicationRule.SourceIpGroups = $ApplicationRule.SourceIpGroups -join ","`
`69`	`60`	`$cmd = $cmd + " -SourceIpGroup " + $ApplicationRule.SourceIpGroups`
`70`	`61`	`}`
`71`		`-`
`72`	`62`	`if ($ApplicationRule.Description)`
`73`	`63`	`{`
`74`	`64`	`$cmd = $cmd + " -Description " + "'" + $ApplicationRule.Description + "'"`
`@@ -77,32 +67,40 @@ Function GetApplicationRuleCmd`
`77`	`67`	`{`
`78`	`68`	`$protocols = GetApplicationProtocolsString($ApplicationRule.Protocols)`
`79`	`69`	`$cmd = $cmd + " -Protocol " + $protocols`
`80`		`-`
`81`	`70`	`$AppRule = $($ApplicationRule.TargetFqdns) -join ","`
`82`	`71`	`$cmd = $cmd + " -TargetFqdn " + $AppRule`
`83`		`-`
`84`	`72`	`}`
`85`	`73`	`if ($ApplicationRule.FqdnTags)`
`86`	`74`	`{`
`87`	`75`	`$cmd = $cmd + " -FqdnTag " + "'" + $ApplicationRule.FqdnTags + "'"`
`88`	`76`	`}`
`89`		`-`
`90`	`77`	`return $cmd`
`91`	`78`	`}`
`92`		`-`
	`79`	`+Function ParseRuleName`
	`80`	`+{`
	`81`	`+ Param([Object] $RuleName)`
	`82`	`+ if ($RuleName -match $InvalidCharsPattern) {`
	`83`	`+ $newRuleName = $RuleName -split $InvalidCharsPattern -join ""`
	`84`	`+ Write-Host "Rule $RuleName contains an invalid character. Invalid characters have been removed, rule new name is $newRuleName. " -ForegroundColor Cyan`
	`85`	`+ return $newRuleName`
	`86`	`+ }`
	`87`	`+ return $RuleName`
	`88`	`+}`
`93`	`89`	`If (!(Get-AzResourceGroup -Name $FirewallPolicyResourceGroup))`
`94`	`90`	`{`
`95`	`91`	`New-AzResourceGroup -Name $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation`
`96`	`92`	`}`
`97`		`-`
`98`	`93`	`$azfw = Get-AzFirewall -Name $FirewallName -ResourceGroupName $FirewallResourceGroup`
`99`		`-`
`100`	`94`	`Write-Host "creating empty firewall policy"`
`101`		`-$fwDnsSetting = New-AzFirewallPolicyDnsSetting -EnableProxy`
`102`		`-$fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode -DnsSetting $fwDnsSetting -Force`
	`95`	`+if ($azfw.DNSEnableProxy) {`
	`96`	`+ $fwDnsSetting = New-AzFirewallPolicyDnsSetting -EnableProxy`
	`97`	`+ $fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode -DnsSetting $fwDnsSetting -Force`
	`98`	`+}`
	`99`	`+else {`
	`100`	`+ $fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode`
	`101`	`+}`
`103`	`102`	`Write-Host $fwp.Name "created"`
`104`	`103`	`Write-Host "creating " $azfw.ApplicationRuleCollections.Count " application rule collections"`
`105`		`-`
`106`	`104`	`#Translate ApplicationRuleCollection`
`107`	`105`	`If ($azfw.ApplicationRuleCollections.Count -gt 0)`
`108`	`106`	`{`
`@@ -128,7 +126,6 @@ If ($azfw.ApplicationRuleCollections.Count -gt 0)`
`128`	`126`	`$appRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultAppRuleCollectionGroupName -Priority $ApplicationRuleGroupPriority -RuleCollection $firewallPolicyAppRuleCollections -FirewallPolicyObject $fwp`
`129`	`127`	`Write-Host "Created ApplicationRuleCollectionGroup " $appRuleGroup.Name`
`130`	`128`	`}`
`131`		`-`
`132`	`129`	`#Translate NetworkRuleCollection`
`133`	`130`	`Write-Host "creating " $azfw.NetworkRuleCollections.Count " network rule collections"`
`134`	`131`	`If ($azfw.NetworkRuleCollections.Count -gt 0)`
`@@ -142,34 +139,35 @@ If ($azfw.NetworkRuleCollections.Count -gt 0)`
`142`	`139`	`$firewallPolicyNetRules = @()`
`143`	`140`	`ForEach ($rule in $rc.Rules)`
`144`	`141`	`{`
	`142`	`+ $parsedName = ParseRuleName($rule.Name)`
`145`	`143`	`If ($rule.SourceAddresses)`
`146`	`144`	`{`
`147`	`145`	`If ($rule.DestinationAddresses)`
`148`	`146`	`{`
`149`		`- $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols`
	`147`	`+ $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols`
`150`	`148`	`}`
`151`	`149`	`elseif ($rule.DestinationIpGroups)`
`152`	`150`	`{`
`153`		`- $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols`
	`151`	`+ $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols`
`154`	`152`	`}`
`155`	`153`	`elseif ($rule.DestinationFqdns)`
`156`	`154`	`{`
`157`		`- $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols`
	`155`	`+ $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols`
`158`	`156`	`}`
`159`	`157`	`}`
`160`	`158`	`elseif ($rule.SourceIpGroups)`
`161`	`159`	`{`
`162`	`160`	`If ($rule.DestinationAddresses)`
`163`	`161`	`{`
`164`		`- $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols`
	`162`	`+ $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols`
`165`	`163`	`}`
`166`	`164`	`elseif ($rule.DestinationIpGroups)`
`167`	`165`	`{`
`168`		`- $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols`
	`166`	`+ $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols`
`169`	`167`	`}`
`170`	`168`	`elseif ($rule.DestinationFqdns)`
`171`	`169`	`{`
`172`		`- $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols`
	`170`	`+ $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols`
`173`	`171`	`}`
`174`	`172`	`}`
`175`	`173`	`Write-Host "Created network rule " $firewallPolicyNetRule.Name`
`@@ -183,15 +181,13 @@ If ($azfw.NetworkRuleCollections.Count -gt 0)`
`183`	`181`	`$netRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNetRuleCollectionGroupName -Priority $NetworkRuleGroupPriority -RuleCollection $firewallPolicyNetRuleCollections -FirewallPolicyObject $fwp`
`184`	`182`	`Write-Host "Created NetworkRuleCollectionGroup " $netRuleGroup.Name`
`185`	`183`	`}`
`186`		`-`
`187`	`184`	`#Translate NatRuleCollection`
`188`	`185`	`# Hierarchy for NAT rule collection is different for AZFW and FirewallPolicy. In AZFW you can have a NatRuleCollection with multiple NatRules`
`189`	`186`	`# where each NatRule will have its own set of source , dest, translated IPs and ports.`
`190`	`187`	`# In FirewallPolicy a NatRuleCollection has a a set of rules which has one condition (source and dest IPs and Ports) and the translated IP and ports`
`191`	`188`	`# as part of NatRuleCollection.`
`192`	`189`	`# So when translating NAT rules we will have to create separate ruleCollection for each rule in AZFW and every ruleCollection will have only 1 rule.`
`193`		`-`
`194`		`-Write-Host "creating " $azfw.NatRuleCollections.Count " network rule collections"`
	`190`	`+Write-Host "creating " $azfw.NatRuleCollections.Count " NAT rule collections"`
`195`	`191`	`If ($azfw.NatRuleCollections.Count -gt 0)`
`196`	`192`	`{`
`197`	`193`	`$firewallPolicyNatRuleCollections = @()`
`@@ -202,23 +198,30 @@ If ($azfw.NatRuleCollections.Count -gt 0)`
`202`	`198`	`If ($rc.Rules.Count -gt 0)`
`203`	`199`	`{`
`204`	`200`	`Write-Host "creating " $rc.Rules.Count " nat rules for collection " $rc.Name`
`205`		`- ForEach ($rule in $rc.Rules)`
`206`		`- {`
`207`		`- $firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols`
`208`		`- Write-Host "Created nat rule " $firewallPolicyNatRule.Name`
	`201`	`+`
	`202`	`+ ForEach ($rule in $rc.Rules)`
	`203`	`+ {`
	`204`	`+ $parsedName = ParseRuleName($rule.Name)`
	`205`	`+ If ($rule.SourceAddresses)`
	`206`	`+ @@ -188,18 +234,19 @@ If ($azfw.NatRuleCollections.Count -gt 0) {`
	`207`	`+ {`
	`208`	`+ $firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols`
	`209`	`+ }`
	`210`	`+ Write-Host "Created NAT rule: " $firewallPolicyNatRule.Name`
`209`	`211`	`$firewallPolicyNatRules += $firewallPolicyNatRule`
`210`	`212`	`}`
`211`		`- $natRuleCollectionName = $rc.Name + $rule.Name`
	`213`	`+`
	`214`	`+ $natRuleCollectionName = $rc.Name`
`212`	`215`	`$fwpNatRuleCollection = New-AzFirewallPolicyNatRuleCollection -Name $natRuleCollectionName -Priority $priority -ActionType $rc.Action.Type -Rule $firewallPolicyNatRules`
`213`	`216`	`$priority += 1`
`214`		`- Write-Host "Created NatRuleCollection " $fwpNatRuleCollection.Name`
	`217`	`+ Write-Host "Created NAT RuleCollection " $fwpNatRuleCollection.Name`
`215`	`218`	`$firewallPolicyNatRuleCollections += $fwpNatRuleCollection`
`216`	`219`	`}`
`217`	`220`	`}`
`218`	`221`	`$natRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNatRuleCollectionGroupName -Priority $NatRuleGroupPriority -RuleCollection $firewallPolicyNatRuleCollections -FirewallPolicyObject $fwp`
`219`		`- Write-Host "Created NatRuleCollectionGroup " $natRuleGroup.Name`
	`222`	`+ Write-Host "Created NAT RuleCollectionGroup " $natRuleGroup.Name`
`220`	`223`	`}`
`221`	`224`	```
`222`	`225`	`## Next steps`
`223`	`226`
`224`		`-Learn more about Azure Firewall Manager deployment: [Azure Firewall Manager deployment overview](deployment-overview.md).`
	`227`	`+Learn more about Azure Firewall Manager deployment: [Azure Firewall Manager deployment overview](deployment-overview.md).`