|
| 1 | +--- |
| 2 | +title: Use Azure Policy to help secure your Azure Firewall deployments |
| 3 | +description: You can use Azure Policy to help secure your Azure Firewall deployments. |
| 4 | +author: vhorne |
| 5 | +ms.author: victorh |
| 6 | +ms.service: azure-firewall |
| 7 | +ms.topic: how-to |
| 8 | +ms.date: 09/05/2024 |
| 9 | +--- |
| 10 | + |
| 11 | +# Use Azure Policy to help secure your Azure Firewall deployments |
| 12 | + |
| 13 | +Azure Policy is a service in Azure that allows you to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy does this by evaluating your resources for noncompliance with assigned policies. For example, you can have a policy to allow only a certain size of virtual machines in your environment or to enforce a specific tag on resources. |
| 14 | + |
| 15 | +Azure Policy can be used to govern Azure Firewall configurations by applying policies that define what configurations are allowed or disallowed. This helps ensure that the firewall settings are consistent with organizational compliance requirements and security best practices. |
| 16 | + |
| 17 | +## Prerequisites |
| 18 | + |
| 19 | +If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. |
| 20 | + |
| 21 | +## Policies available for Azure Firewall |
| 22 | + |
| 23 | +The following policies are available for Azure Firewall: |
| 24 | + |
| 25 | +- **Enable Threat Intelligence in Azure Firewall Policy** |
| 26 | + |
| 27 | + This policy makes sure that any Azure Firewall configuration without threat intel enabled is marked as noncompliant. |
| 28 | +- **Deploy Azure Firewall across Multiple Availability Zones** |
| 29 | + |
| 30 | + The policy restricts Azure Firewall deployment to be only allowed with Multiple Availability Zone configuration. |
| 31 | +- **Upgrade Azure Firewall Standard to Premium** |
| 32 | + |
| 33 | + This policy recommends upgrading Azure Firewall Standard to Premium so that all the Premium version advanced firewall features can be used. This further enhances the security of the network. |
| 34 | +- **Azure Firewall Policy Analytics should be enabled** |
| 35 | + |
| 36 | + This policy ensures that the Policy Analytics is enabled on the firewall to effectively tune and optimize firewall rules. |
| 37 | +- **Azure Firewall should only allow Encrypted Traffic** |
| 38 | + |
| 39 | + This policy analyses existing rules and ports in Azure firewall policy and audits firewall policy to make sure that only encrypted traffic is allowed into the environment. |
| 40 | +- **Azure Firewall should have DNS Proxy Enabled** |
| 41 | + |
| 42 | + This Policy Ensures that DNS proxy feature is enabled on Azure Firewall deployments. |
| 43 | +- **Enable IDPS in Azure Firewall Premium Policy** |
| 44 | + |
| 45 | + This policy ensures that the IDPS feature is enabled on Azure Firewall deployments to effectively protect the environment from various threats and vulnerabilities. |
| 46 | +- **Enable TLS inspection on Azure Firewall Policy** |
| 47 | + |
| 48 | + This policy mandates that TLS inspection is enabled to detect, alert, and mitigate malicious activity in HTTPS traffic. |
| 49 | +- **Migrate from Azure Firewall Classic Rules to Firewall Policy** |
| 50 | + |
| 51 | + This policy recommends migrating from Firewall Classic Rules to Firewall Policy. |
| 52 | +- **VNET with specific tag must have Azure Firewall Deployed** |
| 53 | + |
| 54 | + This policy finds all virtual networks with a specified tag and checks if there's an Azure Firewall deployed, and flags it as noncompliant if no Azure Firewall exists. |
| 55 | + |
| 56 | +The following steps show how you can create an Azure Policy that enforces all Firewall Policies to have the Threat Intelligence feature enabled (either **Alert Only**, or **Alert and deny**). The Azure Policy scope is set to the resource group that you create. |
| 57 | + |
| 58 | +## Create a resource group |
| 59 | + |
| 60 | +This resource group is set as the scope for the Azure Policy, and is where you create the Firewall Policy. |
| 61 | + |
| 62 | +1. From the Azure portal, select **Create a resource**. |
| 63 | +1. In the search box, type **resource group** and press Enter. |
| 64 | +1. Select **Resource group** from the search results. |
| 65 | +1. Select **Create**. |
| 66 | +1. Select your subscription. |
| 67 | +1. Type a name for your resource group. |
| 68 | +1. Select a region. |
| 69 | +1. Select **Next : Tags**. |
| 70 | +1. Select **Next : Review + create**. |
| 71 | +1. Select **Create**. |
| 72 | + |
| 73 | +## Create an Azure Policy |
| 74 | + |
| 75 | +Now create an Azure Policy in your new resource group. This policy ensures that any firewall policies must have Threat Intelligence enabled. |
| 76 | + |
| 77 | +1. From the Azure portal, select **All services**. |
| 78 | +1. In the filter box, type **policy** and press Enter. |
| 79 | +1. Select **Policy** in the search results. |
| 80 | +1. On the Policy page, select **Getting started**. |
| 81 | +1. Under **Assign policies**, select **View definitions**. |
| 82 | +1. On the Definitions page, type **firewall**, in the search box. |
| 83 | +1. Select **Azure Firewall Policy should enable Threat Intelligence**. |
| 84 | +1. Select **Assign policy**. |
| 85 | +1. For **Scope**, select you subscription and your new resource group. |
| 86 | +1. Select **Select**. |
| 87 | +1. Select **Next**. |
| 88 | +1. On the **Parameters** page, clear the **Only show parameters that need input or review** check box. |
| 89 | +1. For **Effect**, select **Deny**. |
| 90 | +1. Select **Review + create**. |
| 91 | +1. Select **Create**. |
| 92 | + |
| 93 | +## Create a Firewall Policy |
| 94 | + |
| 95 | +Now you attempt to create a Firewall Policy with Threat Intelligence disabled. |
| 96 | + |
| 97 | +1. From the Azure portal, select **Create a resource**. |
| 98 | +1. In the search box, type **firewall policy** and press Enter. |
| 99 | +1. Select **Firewall Policy** in the search results. |
| 100 | +1. Select **Create**. |
| 101 | +1. Select your subscription. |
| 102 | +1. For **Resource group**, select the resource group that you created previously. |
| 103 | +1. In the **Name** text box, type a name for your policy. |
| 104 | +1. Select **Next : DNS Settings**. |
| 105 | +1. Continue selecting through to the **Threat intelligence** page. |
| 106 | +1. For **Threat intelligence mode**, select **Disabled**. |
| 107 | +1. Select **Review + create**. |
| 108 | + |
| 109 | +You should see an error that says your resource was disallowed by policy, confirming that your Azure Policy doesn't allow firewall policies that have Threat Intelligence disabled. |
| 110 | + |
| 111 | +:::image type="content" source="media/firewall-azure-policy/azure-policy.png" lightbox="media/firewall-azure-policy/azure-policy.png" alt-text="Screenshot showing policy create denial."::: |
| 112 | + |
| 113 | +## Related content |
| 114 | + |
| 115 | +- [What is Azure Policy?](../governance/policy/overview.md) |
| 116 | +- [Govern your Azure Firewall configuration with Azure Policies](https://techcommunity.microsoft.com/t5/azure-network-security-blog/govern-your-azure-firewall-configuration-with-azure-policies/ba-p/4189902) |
| 117 | + |
| 118 | + |
0 commit comments