Skip to content

Commit 480ebae

Browse files
authored
Merge pull request #210903 from vhorne/fwm-migrate
new PR to get #93599 merged
2 parents c54efe2 + 96173a3 commit 480ebae

File tree

1 file changed

+151
-109
lines changed

1 file changed

+151
-109
lines changed

articles/firewall-manager/migrate-to-policy.md

Lines changed: 151 additions & 109 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ author: vhorne
55
ms.service: firewall-manager
66
services: firewall-manager
77
ms.topic: how-to
8-
ms.date: 06/30/2020
8+
ms.date: 09/12/2022
99
ms.author: victorh
1010
ms.custom: devx-track-azurepowershell
1111
---
@@ -28,6 +28,7 @@ Modify the following script to migrate your firewall configuration.
2828
#Input params to be modified as needed
2929
$FirewallResourceGroup = "AzFWMigrateRG"
3030
$FirewallName = "azfw"
31+
$FirewallPolicyResourceGroup = "AzFWPolicyRG"
3132
$FirewallPolicyName = "fwpolicy"
3233
$FirewallPolicyLocation = "WestEurope"
3334
@@ -41,142 +42,183 @@ $NatRuleGroupPriority = 100
4142
#Helper functions for translating ApplicationProtocol and ApplicationRule
4243
Function GetApplicationProtocolsString
4344
{
44-
Param([Object[]] $Protocols)
45-
$output = ""
46-
ForEach ($protocol in $Protocols) {
47-
$output += $protocol.ProtocolType + ":" + $protocol.Port + ","
48-
}
49-
return $output.Substring(0, $output.Length - 1)
45+
Param([Object[]] $Protocols)
46+
$output = ""
47+
ForEach ($protocol in $Protocols)
48+
{
49+
$output += $protocol.ProtocolType + ":" + $protocol.Port + ","
50+
}
51+
return $output.Substring(0, $output.Length - 1)
5052
}
5153
5254
Function GetApplicationRuleCmd
5355
{
54-
Param([Object] $ApplicationRule)
55-
56-
$cmd = "New-AzFirewallPolicyApplicationRule"
57-
$cmd = $cmd + " -Name " + $ApplicationRule.Name
58-
$cmd = $cmd + " -SourceAddress " + $ApplicationRule.SourceAddresses
59-
60-
if ($ApplicationRule.Description) {
61-
$cmd = $cmd + " -Description " + $ApplicationRule.Description
62-
}
63-
if ($ApplicationRule.TargetFqdns) {
64-
$protocols = GetApplicationProtocolsString($ApplicationRule.Protocols)
65-
$cmd = $cmd + " -Protocol " + $protocols
66-
$cmd = $cmd + " -TargetFqdn " + $ApplicationRule.TargetFqdns
67-
}
68-
if ($ApplicationRule.FqdnTags) {
69-
$cmd = $cmd + " -FqdnTag " + $ApplicationRule.FqdnTags
70-
}
71-
72-
return $cmd
56+
Param([Object] $ApplicationRule)
57+
58+
$cmd = "New-AzFirewallPolicyApplicationRule"
59+
$cmd = $cmd + " -Name " + "'" + $($ApplicationRule.Name) + "'"
60+
61+
if ($ApplicationRule.SourceAddresses)
62+
{
63+
$ApplicationRule.SourceAddresses = $ApplicationRule.SourceAddresses -join ","
64+
$cmd = $cmd + " -SourceAddress " + $ApplicationRule.SourceAddresses
65+
}
66+
elseif ($ApplicationRule.SourceIpGroups)
67+
{
68+
$ApplicationRule.SourceIpGroups = $ApplicationRule.SourceIpGroups -join ","
69+
$cmd = $cmd + " -SourceIpGroup " + $ApplicationRule.SourceIpGroups
70+
}
71+
72+
if ($ApplicationRule.Description)
73+
{
74+
$cmd = $cmd + " -Description " + "'" + $ApplicationRule.Description + "'"
75+
}
76+
if ($ApplicationRule.TargetFqdns)
77+
{
78+
$protocols = GetApplicationProtocolsString($ApplicationRule.Protocols)
79+
$cmd = $cmd + " -Protocol " + $protocols
80+
81+
$AppRule = $($ApplicationRule.TargetFqdns) -join ","
82+
$cmd = $cmd + " -TargetFqdn " + $AppRule
83+
84+
}
85+
if ($ApplicationRule.FqdnTags)
86+
{
87+
$cmd = $cmd + " -FqdnTag " + "'" + $ApplicationRule.FqdnTags + "'"
88+
}
89+
90+
return $cmd
7391
}
7492
75-
If(!(Get-AzResourceGroup -Name $FirewallResourceGroup))
93+
If (!(Get-AzResourceGroup -Name $FirewallPolicyResourceGroup))
7694
{
77-
New-AzResourceGroup -Name $FirewallResourceGroup -Location $FirewallPolicyLocation
95+
New-AzResourceGroup -Name $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation
7896
}
7997
8098
$azfw = Get-AzFirewall -Name $FirewallName -ResourceGroupName $FirewallResourceGroup
99+
81100
Write-Host "creating empty firewall policy"
82-
$fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode
101+
$fwDnsSetting = New-AzFirewallPolicyDnsSetting -EnableProxy
102+
$fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode -DnsSetting $fwDnsSetting -Force
83103
Write-Host $fwp.Name "created"
84104
Write-Host "creating " $azfw.ApplicationRuleCollections.Count " application rule collections"
85105
86106
#Translate ApplicationRuleCollection
87-
If ($azfw.ApplicationRuleCollections.Count -gt 0) {
88-
$firewallPolicyAppRuleCollections = @()
89-
ForEach ($appRc in $azfw.ApplicationRuleCollections) {
90-
If ($appRc.Rules.Count -gt 0) {
91-
Write-Host "creating " $appRc.Rules.Count " application rules for collection " $appRc.Name
92-
$firewallPolicyAppRules = @()
93-
ForEach ($appRule in $appRc.Rules) {
94-
$cmd = GetApplicationRuleCmd($appRule)
95-
$firewallPolicyAppRule = Invoke-Expression $cmd
96-
Write-Host "Created appRule " $firewallPolicyAppRule.Name
97-
$firewallPolicyAppRules += $firewallPolicyAppRule
98-
}
99-
$fwpAppRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $appRC.Name -Priority $appRC.Priority -ActionType $appRC.Action.Type -Rule $firewallPolicyAppRules
100-
Write-Host "Created appRuleCollection " $fwpAppRuleCollection.Name
101-
}
102-
$firewallPolicyAppRuleCollections += $fwpAppRuleCollection
103-
}
104-
$appRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultAppRuleCollectionGroupName -Priority $ApplicationRuleGroupPriority -RuleCollection $firewallPolicyAppRuleCollections -FirewallPolicyObject $fwp
105-
Write-Host "Created ApplicationRuleCollectionGroup " $appRuleGroup.Name
107+
If ($azfw.ApplicationRuleCollections.Count -gt 0)
108+
{
109+
$firewallPolicyAppRuleCollections = @()
110+
ForEach ($appRc in $azfw.ApplicationRuleCollections)
111+
{
112+
If ($appRc.Rules.Count -gt 0)
113+
{
114+
Write-Host "creating " $appRc.Rules.Count " application rules for collection " $appRc.Name
115+
$firewallPolicyAppRules = @()
116+
ForEach ($appRule in $appRc.Rules)
117+
{
118+
$cmd = GetApplicationRuleCmd($appRule)
119+
$firewallPolicyAppRule = Invoke-Expression $cmd
120+
Write-Host "Created appRule " $firewallPolicyAppRule.Name
121+
$firewallPolicyAppRules += $firewallPolicyAppRule
122+
}
123+
$fwpAppRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $appRC.Name -Priority $appRC.Priority -ActionType $appRC.Action.Type -Rule $firewallPolicyAppRules
124+
Write-Host "Created appRuleCollection " $fwpAppRuleCollection.Name
125+
}
126+
$firewallPolicyAppRuleCollections += $fwpAppRuleCollection
127+
}
128+
$appRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultAppRuleCollectionGroupName -Priority $ApplicationRuleGroupPriority -RuleCollection $firewallPolicyAppRuleCollections -FirewallPolicyObject $fwp
129+
Write-Host "Created ApplicationRuleCollectionGroup " $appRuleGroup.Name
106130
}
107131
108132
#Translate NetworkRuleCollection
109133
Write-Host "creating " $azfw.NetworkRuleCollections.Count " network rule collections"
110-
If ($azfw.NetworkRuleCollections.Count -gt 0) {
111-
$firewallPolicyNetRuleCollections = @()
112-
ForEach ($rc in $azfw.NetworkRuleCollections) {
113-
If ($rc.Rules.Count -gt 0) {
114-
Write-Host "creating " $rc.Rules.Count " network rules for collection " $rc.Name
115-
$firewallPolicyNetRules = @()
116-
ForEach ($rule in $rc.Rules) {
117-
If($rule.SourceAddresses){
118-
If($rule.DestinationAddresses)
119-
{
120-
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
121-
}
122-
elseif($rule.DestinationIpGroups)
123-
{
124-
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
125-
}
126-
}
127-
elseif($rule.SourceIpGroups){
128-
If($rule.DestinationAddresses)
129-
{
130-
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
131-
}
132-
elseif($rule.DestinationIpGroups)
133-
{
134-
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
135-
}
136-
}
137-
Write-Host "Created network rule " $firewallPolicyNetRule.Name
138-
$firewallPolicyNetRules += $firewallPolicyNetRule
139-
}
140-
$fwpNetRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $rc.Name -Priority $rc.Priority -ActionType $rc.Action.Type -Rule $firewallPolicyNetRules
141-
Write-Host "Created NetworkRuleCollection " $fwpNetRuleCollection.Name
142-
}
143-
$firewallPolicyNetRuleCollections += $fwpNetRuleCollection
144-
}
145-
$netRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNetRuleCollectionGroupName -Priority $NetworkRuleGroupPriority -RuleCollection $firewallPolicyNetRuleCollections -FirewallPolicyObject $fwp
146-
Write-Host "Created NetworkRuleCollectionGroup " $netRuleGroup.Name
134+
If ($azfw.NetworkRuleCollections.Count -gt 0)
135+
{
136+
$firewallPolicyNetRuleCollections = @()
137+
ForEach ($rc in $azfw.NetworkRuleCollections)
138+
{
139+
If ($rc.Rules.Count -gt 0)
140+
{
141+
Write-Host "creating " $rc.Rules.Count " network rules for collection " $rc.Name
142+
$firewallPolicyNetRules = @()
143+
ForEach ($rule in $rc.Rules)
144+
{
145+
If ($rule.SourceAddresses)
146+
{
147+
If ($rule.DestinationAddresses)
148+
{
149+
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
150+
}
151+
elseif ($rule.DestinationIpGroups)
152+
{
153+
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
154+
}
155+
elseif ($rule.DestinationFqdns)
156+
{
157+
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
158+
}
159+
}
160+
elseif ($rule.SourceIpGroups)
161+
{
162+
If ($rule.DestinationAddresses)
163+
{
164+
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
165+
}
166+
elseif ($rule.DestinationIpGroups)
167+
{
168+
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
169+
}
170+
elseif ($rule.DestinationFqdns)
171+
{
172+
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
173+
}
174+
}
175+
Write-Host "Created network rule " $firewallPolicyNetRule.Name
176+
$firewallPolicyNetRules += $firewallPolicyNetRule
177+
}
178+
$fwpNetRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $rc.Name -Priority $rc.Priority -ActionType $rc.Action.Type -Rule $firewallPolicyNetRules
179+
Write-Host "Created NetworkRuleCollection " $fwpNetRuleCollection.Name
180+
}
181+
$firewallPolicyNetRuleCollections += $fwpNetRuleCollection
182+
}
183+
$netRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNetRuleCollectionGroupName -Priority $NetworkRuleGroupPriority -RuleCollection $firewallPolicyNetRuleCollections -FirewallPolicyObject $fwp
184+
Write-Host "Created NetworkRuleCollectionGroup " $netRuleGroup.Name
147185
}
148186
149187
#Translate NatRuleCollection
150188
# Hierarchy for NAT rule collection is different for AZFW and FirewallPolicy. In AZFW you can have a NatRuleCollection with multiple NatRules
151-
# where each NatRule will have its own set of source , dest, translated IPs and ports.
152-
# In FirewallPolicy a NatRuleCollection has a a set of rules which has one condition (source and dest IPs and Ports) and the translated IP and ports
189+
# where each NatRule will have its own set of source , dest, translated IPs and ports.
190+
# In FirewallPolicy a NatRuleCollection has a a set of rules which has one condition (source and dest IPs and Ports) and the translated IP and ports
153191
# as part of NatRuleCollection.
154192
# So when translating NAT rules we will have to create separate ruleCollection for each rule in AZFW and every ruleCollection will have only 1 rule.
155193
156194
Write-Host "creating " $azfw.NatRuleCollections.Count " network rule collections"
157-
If ($azfw.NatRuleCollections.Count -gt 0) {
158-
$firewallPolicyNatRuleCollections = @()
159-
$priority = 100
160-
ForEach ($rc in $azfw.NatRuleCollections) {
161-
$firewallPolicyNatRules = @()
162-
If ($rc.Rules.Count -gt 0) {
163-
Write-Host "creating " $rc.Rules.Count " nat rules for collection " $rc.Name
164-
ForEach ($rule in $rc.Rules) {
165-
$firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
166-
Write-Host "Created nat rule " $firewallPolicyNatRule.Name
167-
$firewallPolicyNatRules += $firewallPolicyNatRule
168-
}
169-
$natRuleCollectionName = $rc.Name+$rule.Name
170-
$fwpNatRuleCollection = New-AzFirewallPolicyNatRuleCollection -Name $natRuleCollectionName -Priority $priority -ActionType $rc.Action.Type -Rule $firewallPolicyNatRules
171-
$priority += 1
172-
Write-Host "Created NatRuleCollection " $fwpNatRuleCollection.Name
173-
$firewallPolicyNatRuleCollections += $fwpNatRuleCollection
174-
}
175-
}
176-
$natRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNatRuleCollectionGroupName -Priority $NatRuleGroupPriority -RuleCollection $firewallPolicyNatRuleCollections -FirewallPolicyObject $fwp
177-
Write-Host "Created NatRuleCollectionGroup " $natRuleGroup.Name
195+
If ($azfw.NatRuleCollections.Count -gt 0)
196+
{
197+
$firewallPolicyNatRuleCollections = @()
198+
$priority = 100
199+
ForEach ($rc in $azfw.NatRuleCollections)
200+
{
201+
$firewallPolicyNatRules = @()
202+
If ($rc.Rules.Count -gt 0)
203+
{
204+
Write-Host "creating " $rc.Rules.Count " nat rules for collection " $rc.Name
205+
ForEach ($rule in $rc.Rules)
206+
{
207+
$firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
208+
Write-Host "Created nat rule " $firewallPolicyNatRule.Name
209+
$firewallPolicyNatRules += $firewallPolicyNatRule
210+
}
211+
$natRuleCollectionName = $rc.Name + $rule.Name
212+
$fwpNatRuleCollection = New-AzFirewallPolicyNatRuleCollection -Name $natRuleCollectionName -Priority $priority -ActionType $rc.Action.Type -Rule $firewallPolicyNatRules
213+
$priority += 1
214+
Write-Host "Created NatRuleCollection " $fwpNatRuleCollection.Name
215+
$firewallPolicyNatRuleCollections += $fwpNatRuleCollection
216+
}
217+
}
218+
$natRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNatRuleCollectionGroupName -Priority $NatRuleGroupPriority -RuleCollection $firewallPolicyNatRuleCollections -FirewallPolicyObject $fwp
219+
Write-Host "Created NatRuleCollectionGroup " $natRuleGroup.Name
178220
}
179221
```
180222
## Next steps
181223

182-
Learn more about Azure Firewall Manager deployment: [Azure Firewall Manager deployment overview](deployment-overview.md).
224+
Learn more about Azure Firewall Manager deployment: [Azure Firewall Manager deployment overview](deployment-overview.md).

0 commit comments

Comments
 (0)