You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall-manager/deploy-trusted-security-partner.md
+11-11Lines changed: 11 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ services: firewall-manager
5
5
author: vhorne
6
6
ms.service: firewall-manager
7
7
ms.topic: how-to
8
-
ms.date: 11/10/2021
8
+
ms.date: 09/28/2023
9
9
ms.author: victorh
10
10
---
11
11
@@ -24,13 +24,13 @@ Integrated third-party Security as a service (SECaaS) partners are now available
24
24
25
25
## Deploy a third-party security provider in a new hub
26
26
27
-
Skip this section if you are deploying a third-party provider into an existing hub.
27
+
Skip this section if you're deploying a third-party provider into an existing hub.
28
28
29
29
1. Sign in to the [Azure portal](https://portal.azure.com).
30
30
2. In **Search**, type **Firewall Manager** and select it under **Services**.
31
-
3. Navigate to **Getting Started**. Select **View secured virtual hubs**.
31
+
3. Navigate to **Overview**. Select **View secured virtual hubs**.
32
32
4. Select **Create new secured virtual hub**.
33
-
5. Enter you subscription and resource group, select a supported region, and add your hub and virtual WAN information.
33
+
5. Enter your subscription and resource group, select a supported region, and add your hub and virtual WAN information.
34
34
6. Select **Include VPN gateway to enable Security Partner Providers**.
35
35
7. Select the **Gateway scale units** appropriate for your requirements.
36
36
8. Select **Next: Azure Firewall**
@@ -46,15 +46,15 @@ Skip this section if you are deploying a third-party provider into an existing h
46
46
47
47
The VPN gateway deployment can take more than 30 minutes.
48
48
49
-
To verify that the hub has been created, navigate to Azure Firewall Manager->Secured Hubs. Select the hub->Overview page to show the partner name and the status as **Security Connection Pending**.
49
+
To verify that the hub has been created, navigate to Azure Firewall Manager->Overview->View secured virtual hubs. You see the security partner provider name and the security partner status as **Security Connection Pending**.
50
50
51
51
Once the hub is created and the security partner is set up, continue on to connect the security provider to the hub.
52
52
53
53
## Deploy a third-party security provider in an existing hub
54
54
55
55
You can also select an existing hub in a Virtual WAN and convert that to a *secured virtual hub*.
56
56
57
-
1. In **Getting Started**, select **View secured virtual hubs**.
57
+
1. In **Getting Started**, **Overview**, select **View secured virtual hubs**.
58
58
2. Select **Convert existing hubs**.
59
59
3. Select a subscription and an existing hub. Follow rest of the steps to deploy a third-party provider in a new hub.
60
60
@@ -96,7 +96,7 @@ To set up tunnels to your virtual hub’s VPN Gateway, third-party providers nee
96
96
Ensure the third-party provider can connect to the hub. The tunnels on the VPN gateway should be in a **Connected** state. This state is more reflective of the connection health between the hub and the third-party partner, compared to previous status.
97
97
3. Select the hub, and navigate to **Security Configurations**.
98
98
99
-
When you deploy a third-party provider into the hub, it converts the hub into a *secured virtual hub*. This ensures that the third-party provider is advertising a 0.0.0.0/0 (default) route to the hub. However, VNet connections and sites connected to the hub don’t get this route unless you opt-in on which connections should get this default route.
99
+
When you deploy a third-party provider into the hub, it converts the hub into a *secured virtual hub*. This ensures that the third-party provider is advertising a 0.0.0.0/0 (default) route to the hub. However, virtual network connections and sites connected to the hub don’t get this route unless you opt-in on which connections should get this default route.
100
100
101
101
> [!NOTE]
102
102
> Do not manually create a 0.0.0.0/0 (default) route over BGP for branch advertisements. This is automatically done for secure virtual hub deployments with 3rd party security providers. Doing so may break the deployment process.
@@ -108,17 +108,17 @@ To set up tunnels to your virtual hub’s VPN Gateway, third-party providers nee
108
108
109
109
If you use non-RFC1918 addresses for your private traffic prefixes, you may need to configure SNAT policies for your firewall to disable SNAT for non-RFC1918 private traffic. By default, Azure Firewall SNATs all non-RFC1918 traffic.
110
110
111
-
## Branch or VNet Internet traffic via third-party service
111
+
## Branch or virtual network Internet traffic via third-party service
112
112
113
-
Next, you can check if VNet virtual machines or the branch site can access the Internet and validate that the traffic is flowing to the third-party service.
113
+
Next, you can check if virtual network virtual machines or the branch site can access the Internet and validate that the traffic is flowing to the third-party service.
114
114
115
-
After finishing the route setting steps, the VNet virtual machines as well as the branch sites are sent a 0/0 to the third-party service route. You can't RDP or SSH into these virtual machines. To sign in, you can deploy the [Azure Bastion](../bastion/bastion-overview.md) service in a peered VNet.
115
+
After you finish the route setting steps, the virtual network virtual machines and the branch sites are sent a 0/0 to the third-party service route. You can't RDP or SSH into these virtual machines. To sign in, you can deploy the [Azure Bastion](../bastion/bastion-overview.md) service in a peered virtual network.
116
116
117
117
## Rule configuration
118
118
119
119
Use the partner portal to configure firewall rules. Azure Firewall passes the traffic through.
120
120
121
-
For example, you may observe allowed traffic through the Azure Firewall, even though there is no explicit rule to allow the traffic. This is because Azure Firewall passes the traffic to the next hop security partner provider (ZScalar, CheckPoint, or iBoss). Azure Firewall still has rules to allow outbound traffic, but the rule name is not logged.
121
+
For example, you may observe allowed traffic through the Azure Firewall, even though there's no explicit rule to allow the traffic. This is because Azure Firewall passes the traffic to the next hop security partner provider (ZScalar, CheckPoint, or iBoss). Azure Firewall still has rules to allow outbound traffic, but the rule name isn't logged.
122
122
123
123
For more information, see the partner documentation.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments