@@ -5,7 +5,7 @@ author: vhorne
5
5
ms.service : firewall-manager
6
6
services : firewall-manager
7
7
ms.topic : how-to
8
- ms.date : 06/30/2020
8
+ ms.date : 09/12/2022
9
9
ms.author : victorh
10
10
ms.custom : devx-track-azurepowershell
11
11
---
@@ -28,6 +28,7 @@ Modify the following script to migrate your firewall configuration.
28
28
#Input params to be modified as needed
29
29
$FirewallResourceGroup = "AzFWMigrateRG"
30
30
$FirewallName = "azfw"
31
+ $FirewallPolicyResourceGroup = "AzFWPolicyRG"
31
32
$FirewallPolicyName = "fwpolicy"
32
33
$FirewallPolicyLocation = "WestEurope"
33
34
@@ -41,142 +42,183 @@ $NatRuleGroupPriority = 100
41
42
#Helper functions for translating ApplicationProtocol and ApplicationRule
42
43
Function GetApplicationProtocolsString
43
44
{
44
- Param([Object[]] $Protocols)
45
- $output = ""
46
- ForEach ($protocol in $Protocols) {
47
- $output += $protocol.ProtocolType + ":" + $protocol.Port + ","
48
- }
49
- return $output.Substring(0, $output.Length - 1)
45
+ Param([Object[]] $Protocols)
46
+ $output = ""
47
+ ForEach ($protocol in $Protocols)
48
+ {
49
+ $output += $protocol.ProtocolType + ":" + $protocol.Port + ","
50
+ }
51
+ return $output.Substring(0, $output.Length - 1)
50
52
}
51
53
52
54
Function GetApplicationRuleCmd
53
55
{
54
- Param([Object] $ApplicationRule)
55
-
56
- $cmd = "New-AzFirewallPolicyApplicationRule"
57
- $cmd = $cmd + " -Name " + $ApplicationRule.Name
58
- $cmd = $cmd + " -SourceAddress " + $ApplicationRule.SourceAddresses
59
-
60
- if ($ApplicationRule.Description) {
61
- $cmd = $cmd + " -Description " + $ApplicationRule.Description
62
- }
63
- if ($ApplicationRule.TargetFqdns) {
64
- $protocols = GetApplicationProtocolsString($ApplicationRule.Protocols)
65
- $cmd = $cmd + " -Protocol " + $protocols
66
- $cmd = $cmd + " -TargetFqdn " + $ApplicationRule.TargetFqdns
67
- }
68
- if ($ApplicationRule.FqdnTags) {
69
- $cmd = $cmd + " -FqdnTag " + $ApplicationRule.FqdnTags
70
- }
71
-
72
- return $cmd
56
+ Param([Object] $ApplicationRule)
57
+
58
+ $cmd = "New-AzFirewallPolicyApplicationRule"
59
+ $cmd = $cmd + " -Name " + "'" + $($ApplicationRule.Name) + "'"
60
+
61
+ if ($ApplicationRule.SourceAddresses)
62
+ {
63
+ $ApplicationRule.SourceAddresses = $ApplicationRule.SourceAddresses -join ","
64
+ $cmd = $cmd + " -SourceAddress " + $ApplicationRule.SourceAddresses
65
+ }
66
+ elseif ($ApplicationRule.SourceIpGroups)
67
+ {
68
+ $ApplicationRule.SourceIpGroups = $ApplicationRule.SourceIpGroups -join ","
69
+ $cmd = $cmd + " -SourceIpGroup " + $ApplicationRule.SourceIpGroups
70
+ }
71
+
72
+ if ($ApplicationRule.Description)
73
+ {
74
+ $cmd = $cmd + " -Description " + "'" + $ApplicationRule.Description + "'"
75
+ }
76
+ if ($ApplicationRule.TargetFqdns)
77
+ {
78
+ $protocols = GetApplicationProtocolsString($ApplicationRule.Protocols)
79
+ $cmd = $cmd + " -Protocol " + $protocols
80
+
81
+ $AppRule = $($ApplicationRule.TargetFqdns) -join ","
82
+ $cmd = $cmd + " -TargetFqdn " + $AppRule
83
+
84
+ }
85
+ if ($ApplicationRule.FqdnTags)
86
+ {
87
+ $cmd = $cmd + " -FqdnTag " + "'" + $ApplicationRule.FqdnTags + "'"
88
+ }
89
+
90
+ return $cmd
73
91
}
74
92
75
- If(!(Get-AzResourceGroup -Name $FirewallResourceGroup ))
93
+ If (!(Get-AzResourceGroup -Name $FirewallPolicyResourceGroup ))
76
94
{
77
- New-AzResourceGroup -Name $FirewallResourceGroup -Location $FirewallPolicyLocation
95
+ New-AzResourceGroup -Name $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation
78
96
}
79
97
80
98
$azfw = Get-AzFirewall -Name $FirewallName -ResourceGroupName $FirewallResourceGroup
99
+
81
100
Write-Host "creating empty firewall policy"
82
- $fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode
101
+ $fwDnsSetting = New-AzFirewallPolicyDnsSetting -EnableProxy
102
+ $fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode -DnsSetting $fwDnsSetting -Force
83
103
Write-Host $fwp.Name "created"
84
104
Write-Host "creating " $azfw.ApplicationRuleCollections.Count " application rule collections"
85
105
86
106
#Translate ApplicationRuleCollection
87
- If ($azfw.ApplicationRuleCollections.Count -gt 0) {
88
- $firewallPolicyAppRuleCollections = @()
89
- ForEach ($appRc in $azfw.ApplicationRuleCollections) {
90
- If ($appRc.Rules.Count -gt 0) {
91
- Write-Host "creating " $appRc.Rules.Count " application rules for collection " $appRc.Name
92
- $firewallPolicyAppRules = @()
93
- ForEach ($appRule in $appRc.Rules) {
94
- $cmd = GetApplicationRuleCmd($appRule)
95
- $firewallPolicyAppRule = Invoke-Expression $cmd
96
- Write-Host "Created appRule " $firewallPolicyAppRule.Name
97
- $firewallPolicyAppRules += $firewallPolicyAppRule
98
- }
99
- $fwpAppRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $appRC.Name -Priority $appRC.Priority -ActionType $appRC.Action.Type -Rule $firewallPolicyAppRules
100
- Write-Host "Created appRuleCollection " $fwpAppRuleCollection.Name
101
- }
102
- $firewallPolicyAppRuleCollections += $fwpAppRuleCollection
103
- }
104
- $appRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultAppRuleCollectionGroupName -Priority $ApplicationRuleGroupPriority -RuleCollection $firewallPolicyAppRuleCollections -FirewallPolicyObject $fwp
105
- Write-Host "Created ApplicationRuleCollectionGroup " $appRuleGroup.Name
107
+ If ($azfw.ApplicationRuleCollections.Count -gt 0)
108
+ {
109
+ $firewallPolicyAppRuleCollections = @()
110
+ ForEach ($appRc in $azfw.ApplicationRuleCollections)
111
+ {
112
+ If ($appRc.Rules.Count -gt 0)
113
+ {
114
+ Write-Host "creating " $appRc.Rules.Count " application rules for collection " $appRc.Name
115
+ $firewallPolicyAppRules = @()
116
+ ForEach ($appRule in $appRc.Rules)
117
+ {
118
+ $cmd = GetApplicationRuleCmd($appRule)
119
+ $firewallPolicyAppRule = Invoke-Expression $cmd
120
+ Write-Host "Created appRule " $firewallPolicyAppRule.Name
121
+ $firewallPolicyAppRules += $firewallPolicyAppRule
122
+ }
123
+ $fwpAppRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $appRC.Name -Priority $appRC.Priority -ActionType $appRC.Action.Type -Rule $firewallPolicyAppRules
124
+ Write-Host "Created appRuleCollection " $fwpAppRuleCollection.Name
125
+ }
126
+ $firewallPolicyAppRuleCollections += $fwpAppRuleCollection
127
+ }
128
+ $appRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultAppRuleCollectionGroupName -Priority $ApplicationRuleGroupPriority -RuleCollection $firewallPolicyAppRuleCollections -FirewallPolicyObject $fwp
129
+ Write-Host "Created ApplicationRuleCollectionGroup " $appRuleGroup.Name
106
130
}
107
131
108
132
#Translate NetworkRuleCollection
109
133
Write-Host "creating " $azfw.NetworkRuleCollections.Count " network rule collections"
110
- If ($azfw.NetworkRuleCollections.Count -gt 0) {
111
- $firewallPolicyNetRuleCollections = @()
112
- ForEach ($rc in $azfw.NetworkRuleCollections) {
113
- If ($rc.Rules.Count -gt 0) {
114
- Write-Host "creating " $rc.Rules.Count " network rules for collection " $rc.Name
115
- $firewallPolicyNetRules = @()
116
- ForEach ($rule in $rc.Rules) {
117
- If($rule.SourceAddresses){
118
- If($rule.DestinationAddresses)
119
- {
120
- $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
121
- }
122
- elseif($rule.DestinationIpGroups)
123
- {
124
- $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
125
- }
126
- }
127
- elseif($rule.SourceIpGroups){
128
- If($rule.DestinationAddresses)
129
- {
130
- $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
131
- }
132
- elseif($rule.DestinationIpGroups)
133
- {
134
- $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
135
- }
136
- }
137
- Write-Host "Created network rule " $firewallPolicyNetRule.Name
138
- $firewallPolicyNetRules += $firewallPolicyNetRule
139
- }
140
- $fwpNetRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $rc.Name -Priority $rc.Priority -ActionType $rc.Action.Type -Rule $firewallPolicyNetRules
141
- Write-Host "Created NetworkRuleCollection " $fwpNetRuleCollection.Name
142
- }
143
- $firewallPolicyNetRuleCollections += $fwpNetRuleCollection
144
- }
145
- $netRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNetRuleCollectionGroupName -Priority $NetworkRuleGroupPriority -RuleCollection $firewallPolicyNetRuleCollections -FirewallPolicyObject $fwp
146
- Write-Host "Created NetworkRuleCollectionGroup " $netRuleGroup.Name
134
+ If ($azfw.NetworkRuleCollections.Count -gt 0)
135
+ {
136
+ $firewallPolicyNetRuleCollections = @()
137
+ ForEach ($rc in $azfw.NetworkRuleCollections)
138
+ {
139
+ If ($rc.Rules.Count -gt 0)
140
+ {
141
+ Write-Host "creating " $rc.Rules.Count " network rules for collection " $rc.Name
142
+ $firewallPolicyNetRules = @()
143
+ ForEach ($rule in $rc.Rules)
144
+ {
145
+ If ($rule.SourceAddresses)
146
+ {
147
+ If ($rule.DestinationAddresses)
148
+ {
149
+ $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
150
+ }
151
+ elseif ($rule.DestinationIpGroups)
152
+ {
153
+ $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
154
+ }
155
+ elseif ($rule.DestinationFqdns)
156
+ {
157
+ $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
158
+ }
159
+ }
160
+ elseif ($rule.SourceIpGroups)
161
+ {
162
+ If ($rule.DestinationAddresses)
163
+ {
164
+ $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
165
+ }
166
+ elseif ($rule.DestinationIpGroups)
167
+ {
168
+ $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
169
+ }
170
+ elseif ($rule.DestinationFqdns)
171
+ {
172
+ $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
173
+ }
174
+ }
175
+ Write-Host "Created network rule " $firewallPolicyNetRule.Name
176
+ $firewallPolicyNetRules += $firewallPolicyNetRule
177
+ }
178
+ $fwpNetRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $rc.Name -Priority $rc.Priority -ActionType $rc.Action.Type -Rule $firewallPolicyNetRules
179
+ Write-Host "Created NetworkRuleCollection " $fwpNetRuleCollection.Name
180
+ }
181
+ $firewallPolicyNetRuleCollections += $fwpNetRuleCollection
182
+ }
183
+ $netRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNetRuleCollectionGroupName -Priority $NetworkRuleGroupPriority -RuleCollection $firewallPolicyNetRuleCollections -FirewallPolicyObject $fwp
184
+ Write-Host "Created NetworkRuleCollectionGroup " $netRuleGroup.Name
147
185
}
148
186
149
187
#Translate NatRuleCollection
150
188
# Hierarchy for NAT rule collection is different for AZFW and FirewallPolicy. In AZFW you can have a NatRuleCollection with multiple NatRules
151
- # where each NatRule will have its own set of source , dest, translated IPs and ports.
152
- # In FirewallPolicy a NatRuleCollection has a a set of rules which has one condition (source and dest IPs and Ports) and the translated IP and ports
189
+ # where each NatRule will have its own set of source , dest, translated IPs and ports.
190
+ # In FirewallPolicy a NatRuleCollection has a a set of rules which has one condition (source and dest IPs and Ports) and the translated IP and ports
153
191
# as part of NatRuleCollection.
154
192
# So when translating NAT rules we will have to create separate ruleCollection for each rule in AZFW and every ruleCollection will have only 1 rule.
155
193
156
194
Write-Host "creating " $azfw.NatRuleCollections.Count " network rule collections"
157
- If ($azfw.NatRuleCollections.Count -gt 0) {
158
- $firewallPolicyNatRuleCollections = @()
159
- $priority = 100
160
- ForEach ($rc in $azfw.NatRuleCollections) {
161
- $firewallPolicyNatRules = @()
162
- If ($rc.Rules.Count -gt 0) {
163
- Write-Host "creating " $rc.Rules.Count " nat rules for collection " $rc.Name
164
- ForEach ($rule in $rc.Rules) {
165
- $firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
166
- Write-Host "Created nat rule " $firewallPolicyNatRule.Name
167
- $firewallPolicyNatRules += $firewallPolicyNatRule
168
- }
169
- $natRuleCollectionName = $rc.Name+$rule.Name
170
- $fwpNatRuleCollection = New-AzFirewallPolicyNatRuleCollection -Name $natRuleCollectionName -Priority $priority -ActionType $rc.Action.Type -Rule $firewallPolicyNatRules
171
- $priority += 1
172
- Write-Host "Created NatRuleCollection " $fwpNatRuleCollection.Name
173
- $firewallPolicyNatRuleCollections += $fwpNatRuleCollection
174
- }
175
- }
176
- $natRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNatRuleCollectionGroupName -Priority $NatRuleGroupPriority -RuleCollection $firewallPolicyNatRuleCollections -FirewallPolicyObject $fwp
177
- Write-Host "Created NatRuleCollectionGroup " $natRuleGroup.Name
195
+ If ($azfw.NatRuleCollections.Count -gt 0)
196
+ {
197
+ $firewallPolicyNatRuleCollections = @()
198
+ $priority = 100
199
+ ForEach ($rc in $azfw.NatRuleCollections)
200
+ {
201
+ $firewallPolicyNatRules = @()
202
+ If ($rc.Rules.Count -gt 0)
203
+ {
204
+ Write-Host "creating " $rc.Rules.Count " nat rules for collection " $rc.Name
205
+ ForEach ($rule in $rc.Rules)
206
+ {
207
+ $firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
208
+ Write-Host "Created nat rule " $firewallPolicyNatRule.Name
209
+ $firewallPolicyNatRules += $firewallPolicyNatRule
210
+ }
211
+ $natRuleCollectionName = $rc.Name + $rule.Name
212
+ $fwpNatRuleCollection = New-AzFirewallPolicyNatRuleCollection -Name $natRuleCollectionName -Priority $priority -ActionType $rc.Action.Type -Rule $firewallPolicyNatRules
213
+ $priority += 1
214
+ Write-Host "Created NatRuleCollection " $fwpNatRuleCollection.Name
215
+ $firewallPolicyNatRuleCollections += $fwpNatRuleCollection
216
+ }
217
+ }
218
+ $natRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNatRuleCollectionGroupName -Priority $NatRuleGroupPriority -RuleCollection $firewallPolicyNatRuleCollections -FirewallPolicyObject $fwp
219
+ Write-Host "Created NatRuleCollectionGroup " $natRuleGroup.Name
178
220
}
179
221
```
180
222
## Next steps
181
223
182
- Learn more about Azure Firewall Manager deployment: [ Azure Firewall Manager deployment overview] ( deployment-overview.md ) .
224
+ Learn more about Azure Firewall Manager deployment: [ Azure Firewall Manager deployment overview] ( deployment-overview.md ) .
0 commit comments