Merge pull request #52910 from MicrosoftDocs/release-ignite-firewall

Ignite Merge Down

Author: Cory Fowler

articles/firewall/deploy-template.md

@@ -13,10 +13,6 @@ ms.author: victorh
 
 # Deploy Azure Firewall using a template
 
-[!INCLUDE [firewall-preview-notice](../../includes/firewall-preview-notice.md)]
-
-The examples in the Azure Firewall articles assume that you have already enabled the Azure Firewall public preview. For more information, see [Enable the Azure Firewall public preview](public-preview.md).
-
 This template creates a firewall and a test network environment. The network has one VNet, with three subnets: *AzureFirewallSubnet*, *ServersSubnet*, and a *JumpboxSubnet*. The ServersSubnet and JumpboxSubnet each have one 2-core Windows Server in them.
 
 The firewall is in the AzureFirewallSubnet and is configured with an Application Rule Collection with a single rule that allows access to www.microsoft.com.

articles/firewall/firewall-faq.md

@@ -6,12 +6,10 @@ author: vhorne
 
 ms.service: firewall
 ms.topic: conceptual
-ms.date: 7/19/2018
+ms.date: 09/24/2018
 ms.author: victorh
 ---
 
-# Azure Firewall FAQ (Preview)
-
-[!INCLUDE [Azure Firewall Preview](../../includes/firewall-preview-notice.md)]
+# Azure Firewall FAQ
 
 [!INCLUDE [Azure Firewall FAQ](../../includes/firewall-faq-include.md)]

articles/firewall/fqdn-tags.md

@@ -0,0 +1,37 @@
+---
+title: FQDN tags overview for Azure Firewall
+description: Learn about the FQDN tags in Azure Firewall
+services: firewall
+author: vhorne
+ms.service: firewall
+ms.topic: article
+ms.date: 9/24/2018
+ms.author: victorh
+---
+
+# FQDN tags overview
+
+A FQDN tag represents a group of fully qualified domain names (FQDNs) associated with well known Microsoft services. You can use a FQDN tag in application rules to allow the required outbound network traffic through your firewall.
+
+>[!NOTE]
+>The FQDN tags feature is currently available in Azure PowerShell and REST only.
+
+For example, to manually allow Windows Update network traffic through your firewall, you need to create multiple application rules per the Microsoft documentation. Using FQDN tags, you can create an application rule, include the **Windows Updates** tag, and now network traffic to Microsoft Windows Update endpoints can flow through your firewall.
+
+You can't create your own FQDN tags, nor can you specify which FQDNs are included within a tag. Microsoft manages the FQDNs encompassed by the FQDN tag, and updates the tag as FQDNs change. 
+
+<!--- screenshot of application rule with a FQDN tag.-->
+
+The following table shows the current FQDN tags you can use. Microsoft maintains these tags and you can expect additional tags to be added periodically.
+
+|FQDN tag  |Description  |
+|---------|---------|
+|Windows Update     |Allow outbound access to Microsoft Update as described in [How to Configure a Firewall for Software Updates](https://technet.microsoft.com/library/bb693717.aspx).|
+|Windows Diagnostics|Allow outbound access to all [Windows Diagnostics endpoints](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization#endpoints).|
+|Microsoft Active Protection Service (MAPS)|Allow outbound access to [MAPS](https://cloudblogs.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/).|
+|App Service Environment (ASE)|Allows outbound access to ASE platform traffic. This tag doesn’t cover customer-specific Storage and SQL endpoints created by ASE. These should be enabled via [Service Endpoints](../virtual-network/tutorial-restrict-network-access-to-resources.md) or added manually.|
+|Azure Backup|Allows outbound access to the Azure Backup services.
+
+## Next steps
+
+To learn how to deploy an Azure Firewall, see [Tutorial: Deploy and configure Azure Firewall using the Azure portal](tutorial-firewall-deploy-portal.md).

articles/firewall/index.yml

@@ -8,7 +8,7 @@ metadata:
   author: vhorne
   ms.service: firewall
   ms.topic: landing-page
-  ms.date: 7/11/2018
+  ms.date: 9/24/2018
   ms.author: victorh
 abstract:
   description: Learn how to deploy Azure Firewall, a cloud-based network security service. Tutorials, API references, and other documentation show you how to set up application-level and network-level policies to protect your Azure virtual network resources.
@@ -21,6 +21,8 @@ sections:
     style: unordered
     items:
     - html: <a href="/azure/firewall/tutorial-firewall-deploy-portal">Deploy and configure Azure Firewall using the Azure portal</a>
+    - html: <a href="/azure/firewall/tutorial-hybrid-ps">Deploy in a hybrid network</a>
+    - html: <a href="/azure/firewall/tutorial-firewall-dnat">Filter inbound traffic with DNAT</a>
     - html: <a href="/azure/firewall/tutorial-diagnostics">Monitor Azure Firewall logs</a>
 - title: Samples
   items:

articles/firewall/infrastructure-fqdns.md

@@ -0,0 +1,29 @@
+---
+title: Infrastructure FQDN for Azure Firewall
+description: Learn about infrastructure FQDNs in Azure Firewall
+services: firewall
+author: vhorne
+ms.service: firewall
+ms.topic: article
+ms.date: 9/24/2018
+ms.author: victorh
+---
+
+# Infrastructure FQDNs
+
+Azure Firewall includes a built-in rule collection for infrastructure FQDNs that are allowed by default. These FQDNs are specific for the platform and can't be used for other purposes. 
+
+The following services are included in the built-in rule collection:
+
+- Compute access to storage Platform Image Repository (PIR)
+- Managed disks status storage access
+- Azure Diagnostics and Logging (MDS)
+- Azure Active Directory
+
+## Overriding 
+
+You can override this built-in infrastructure rule collection by creating a deny all application rule collection that is processed last. It will always be processed before the infrastructure rule collection. Anything not in the infrastructure rule collection is denied by default.
+
+## Next steps
+
+- Learn how to [deploy and configure an Azure Firewall](tutorial-firewall-deploy-portal.md).

articles/firewall/logs-and-metrics.md

@@ -0,0 +1,84 @@
+---
+title: Overview of Azure Firewall logs
+description: This article is an overview of the Azure Firewall diagnostic logs.
+services: firewall
+author: vhorne
+ms.service: firewall
+ms.topic: article
+ms.date: 9/24/2018
+ms.author: victorh
+---
+
+# Azure Firewall logs
+
+You can monitor Azure Firewall using firewall logs. You can also use activity logs to audit operations on Azure Firewall resources.
+
+You can access some of these logs through the portal. Logs can be sent to [Log Analytics](../log-analytics/log-analytics-azure-networking-analytics.md), Storage, and Event Hubs and analyzed in Log Analytics or by different tools such as Excel and Power BI.
+
+## Diagnostic logs
+
+ The following diagnostic logs are available for Azure Firewall:
+
+* **Application rule log**
+
+   The Application rule log is saved to a storage account, streamed to Event hubs and/or sent to Log Analytics only if you have enabled it for each Azure Firewall. Each new connection that matches one of your configured application rules results in a log for the accepted/denied connection. The data is logged in JSON format, as shown in the following example:
+
+   ```
+   Category: application rule logs.
+   Time: log timestamp.
+   Properties: currently contains the full message. 
+   note: this field will be parsed to specific fields in the future, while maintaining backward compatibility with the existing properties field.
+   ```
+
+   ```json
+   {
+    "category": "AzureFirewallApplicationRule",
+    "time": "2018-04-16T23:45:04.8295030Z",
+    "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
+    "operationName": "AzureFirewallApplicationRuleLog",
+    "properties": {
+        "msg": "HTTPS request from 10.1.0.5:55640 to mydestination.com:443. Action: Allow. Rule Collection: collection1000. Rule: rule1002"
+    }
+   }
+   ```
+
+* **Network rule log**
+
+   The Network rule log is saved to a storage account, streamed to Event hubs and/or sent Log Analytics only if you have enabled it for each Azure Firewall. Each new connection that matches one of your configured network rules results in a log for the accepted/denied connection. The data is logged in JSON format, as shown in the following example:
+
+   ```
+   Category: network rule logs.
+   Time: log timestamp.
+   Properties: currently contains the full message. 
+   note: this field will be parsed to specific fields in the future, while maintaining backward compatibility with the existing properties field.
+   ```
+
+   ```json
+  {
+    "category": "AzureFirewallNetworkRule",
+    "time": "2018-06-14T23:44:11.0590400Z",
+    "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
+    "operationName": "AzureFirewallNetworkRuleLog",
+    "properties": {
+        "msg": "TCP request from 111.35.136.173:12518 to 13.78.143.217:2323. Action: Deny"
+    }
+   }
+
+   ```
+
+You have three options for storing your logs:
+
+* **Storage account**: Storage accounts are best used for logs when logs are stored for a longer duration and reviewed when needed.
+* **Event hubs**: Event hubs are a great option for integrating with other security information and event management (SEIM) tools to get alerts on your resources.
+* **Log Analytics**: Log Analytics is best used for general real-time monitoring of your application or looking at trends.
+
+## Activity logs
+
+   Activity log entries are collected by default, and you can view them in the Azure portal.
+
+   You can use [Azure activity logs](../azure-resource-manager/resource-group-audit.md) (formerly known as operational logs and audit logs) to view all operations that are submitted to your Azure subscription.
+
+
+## Next steps
+
+To learn how to monitor Azure Firewall logs and metrics, see [Tutorial: Monitor Azure Firewall logs](tutorial-diagnostics.md).

articles/firewall/media/overview/firewall-overview.png

@@ -6,60 +6,64 @@ ms.service: firewall
 services: firewall
 ms.topic: overview
 ms.custom: mvc
-ms.date: 7/16/2018
+ms.date: 9/24/2018
 ms.author: victorh
 #Customer intent: As an administrator, I want to evaluate Azure Firewall so I can determine if I want to use it.
 ---
 # What is Azure Firewall?
 
 Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. 
 
-[!INCLUDE [firewall-preview-notice](../../includes/firewall-preview-notice.md)]
-
 ![Firewall overview](media/overview/firewall-overview.png)
 
-
-
 You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network.  The service is fully integrated with Azure Monitor for logging and analytics.
 
 ## Features
 
-The Azure Firewall public preview offers the following features:
+Azure Firewall offers the following features:
 
 ### Built-in high availability
 High availability is built in, so no additional load balancers are required and there is nothing you need to configure.
 
 ### Unrestricted cloud scalability 
 Azure Firewall can scale up as much as you need  to accommodate changing network traffic flows, so you don't need to budget for your peak traffic.
 
-### FQDN filtering 
+### Application FQDN filtering rules
+
 You can limit outbound HTTP/S traffic to a specified list of fully qualified domain names (FQDN) including wild cards. This feature does not require SSL termination.
 
 ### Network traffic filtering rules
 
 You can centrally create *allow* or *deny* network filtering rules by source and destination IP address, port, and protocol. Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections. Rules are enforced and logged across multiple subscriptions and virtual networks.
 
+### FQDN tags
+
+FQDN tags make it easy for you to allow well known Azure service network traffic through your firewall. For example, say you want to allow Windows Update network traffic through your firewall. You create an application rule and include the Windows Update tag. Now network traffic from Windows Update can flow through your firewall.
+
 ### Outbound SNAT support
 
 All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation). You can identify and allow traffic originating from your virtual network to remote Internet destinations.
 
+### Inbound DNAT support
+
+Inbound network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks. 
+
 ### Azure Monitor logging
 
 All events are integrated with Azure Monitor, allowing you to archive logs to a storage account, stream events to your Event Hub, or send them to Log Analytics.
 
 ## Known issues
 
-The Azure Firewall public preview has the following known issues:
+Azure Firewall has the following known issues:
 
 
 |Issue  |Description  |Mitigation  |
 |---------|---------|---------|
-|Interoperability with NSGs     |If a network security group (NSG) is applied on the firewall subnet, it may block outbound Internet connectivity even if the NSG is configured to allow outbound internet access. Outbound Internet connections are marked as coming from a VirtualNetwork and the destination is Internet. An NSG has VirtualNetwork to VirtualNetwork *allow* by default, but not when destination is Internet.|To mitigate, add the following inbound rule to the NSG that is applied on the firewall subnet:<br><br>Source: VirtualNetwork Source ports: Any <br><br>Destination: Any Destination Ports: Any <br><br>Protocol: All Access: Allow|
 |Conflict with Azure Security Center (ASC) Just-in-Time (JIT) feature|If a virtual machine is accessed using JIT, and is in a subnet with a user-defined route that points to Azure Firewall as a default gateway, ASC JIT doesn’t work. This is a result of asymmetric routing – a packet comes in via the virtual machine public IP (JIT opened the access), but the return path is via the firewall, which drops the packet because no session is established on the firewall.|To work around this issue, place the JIT virtual machines on a separate subnet that doesn’t have a user-defined route to the firewall.|
 |Hub and spoke with global peering doesn’t work|The hub and spoke model, where the hub and firewall are deployed in one Azure region, with the spokes in another Azure region, connected to the hub via Global VNet Peering is not supported.|For more information, see [Create, change, or delete a virtual network peering](https://docs.microsoft.com/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints)|
-Network filtering rules for non-TCP/UDP protocols (for example ICMP) don't work for Internet bound traffic|Network filtering rules for non-TCP/UDP protocols don’t work with SNAT to your public IP address. Non-TCP/UDP protocols are supported between spoke subnets and VNets.|Azure Firewall uses the Standard Load Balancer, [which doesn't support SNAT for IP protocols today](https://docs.microsoft.com/azure/load-balancer/load-balancer-standard-overview#limitations). We are exploring options to support this scenario in a future release.
-
-
+Network filtering rules for non-TCP/UDP protocols (for example ICMP) don't work for Internet bound traffic|Network filtering rules for non-TCP/UDP protocols don’t work with SNAT to your public IP address. Non-TCP/UDP protocols are supported between spoke subnets and VNets.|Azure Firewall uses the Standard Load Balancer, [which doesn't support SNAT for IP protocols today](https://docs.microsoft.com/azure/load-balancer/load-balancer-standard-overview#limitations). We are exploring options to support this scenario in a future release.|
+|Destination NAT (DNAT) doesn’t work for port 80 and 22.|Destination Port field in NAT rule collection cannot include port 80 or port 22.|We are working to fix this in the near future. Meanwhile, use any other port as the destination port in NAT rules. Port 80 or 22 can still be used as the translated port (for example, you can map public ip:81 to private ip:80).|
+|
 
 ## Next steps
 

articles/firewall/media/tutorial-hybrid-ps/hybrid-network-firewall.png

@@ -12,10 +12,6 @@ ms.author: victorh
 
 # Create an Azure Firewall test environment
 
-[!INCLUDE [firewall-preview-notice](../../../includes/firewall-preview-notice.md)]
-
-The examples in the Azure Firewall articles assume that you have already enabled the Azure Firewall public preview. For more information, see [Enable the Azure Firewall public preview](../public-preview.md).
-
 This script sample creates a firewall and a test network environment. The network has one VNet, with three subnets: an *AzureFirewallSubnet*, and *ServersSubnet*, and a *JumpboxSubnet*. The ServersSubnet and JumpboxSubnet each have one 2-core Windows Server in them.
 
 The firewall is in the AzureFirewallSubnet and is configured with an Application Rule Collection with a single rule that allows access to www.microsoft.com.
@@ -24,7 +20,7 @@ A user defined route is created that points the network traffic from the Servers
 
 You can run the script from the Azure [Cloud Shell](https://shell.azure.com/powershell), or from a local PowerShell installation. 
 
-If you run PowerShell locally, this script requires the AzureRM PowerShell module version 6.4.0 or later. To find the installed version, run `Get-Module -ListAvailable AzureRM`. 
+If you run PowerShell locally, this script requires the latest AzureRM PowerShell module version. To find the installed version, run `Get-Module -ListAvailable AzureRM`. 
 
 You can use `PowerShellGet` if you need to upgrade, which is built into Windows 10 and Windows Server 2016.
 
@@ -36,12 +32,6 @@ For more information, see [Install Azure PowerShell on Windows with PowerShellGe
 
 Any existing Azure PowerShell installation done with the Web Platform installer will conflict with the PowerShellGet installation and needs to be removed.
 
-Additionally, you must install the preview version of AzureRM.Network (version 6.4.0). If have an older module, run `Uninstall-Module AzureRM.Network -Force` to remove it. Then run:
-
- `Install-Module -Name AzureRM.Network -Repository PSGallery -RequiredVersion 6.4.0-preview -AllowPrerelease -Force`
-
-to install verion 6.4.0.
-
 Remember that if you run PowerShell locally, you also need to run `Connect-AzureRmAccount` to create a connection with Azure.
 
 [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)]