Skip to content

Commit 60d0d04

Browse files
v-regandownerv-regandowner
authored
Merge pull request #226390 from vhorne/fw-threat-intel
add allow list info
2 parents a472a7a + f2be501 commit 60d0d04

File tree

2 files changed

+6
-2
lines changed

2 files changed

+6
-2
lines changed

articles/firewall/media/threat-intel/threat-intel-ui.png

-157 KB
Loading

articles/firewall/threat-intel.md

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,11 @@ You can choose to just log an alert when a rule is triggered, or you can choose
2222

2323
By default, threat intelligence-based filtering is enabled in alert mode. You can’t turn off this feature or change the mode until the portal interface becomes available in your region.
2424

25-
:::image type="content" source="media/threat-intel/threat-intel-ui.png" alt-text="Threat intelligence based filtering portal interface":::
25+
You can define allowlists so threat intelligence won't filter traffic to any of the listed FQDNs, IP addresses, ranges, or subnets.
26+
27+
For a batch operation, you can upload a CSV file with list of IP addresses, ranges, and subnets.
28+
29+
:::image type="content" source="media/threat-intel/threat-intel-ui.png" alt-text="Threat intelligence based filtering portal interface" lightbox="media/threat-intel/threat-intel-ui.png":::
2630

2731
## Logs
2832

@@ -44,7 +48,7 @@ The following log excerpt shows a triggered rule:
4448

4549
- **Outbound testing** - Outbound traffic alerts should be a rare occurrence, as it means that your environment has been compromised. To help test outbound alerts are working, a test FQDN has been created that triggers an alert. Use `testmaliciousdomain.eastus.cloudapp.azure.com` for your outbound tests.
4650

47-
- **Inbound testing** - You can expect to see alerts on incoming traffic if DNAT rules are configured on the firewall. This is true even if only specific sources are allowed on the DNAT rule and traffic is otherwise denied. Azure Firewall doesn't alert on all known port scanners; only on scanners that are known to also engage in malicious activity.
51+
- **Inbound testing** - You can expect to see alerts on incoming traffic if DNAT rules are configured on the firewall. You'll see alerts even if only specific sources are allowed on the DNAT rule and traffic is otherwise denied. Azure Firewall doesn't alert on all known port scanners; only on scanners that are known to also engage in malicious activity.
4852

4953
## Next steps
5054

0 commit comments

Comments
 (0)