[Proposed] Network - 00000 - High-risk web categories are blocked by Azure Firewall application rules

[krishna-sunkavalli]

Proposed new check: Azure Firewall web category filtering

This is a draft PR proposing a new Network pillar check. The test ID 00000 is a placeholder — I don't have access to ztspecs to create a spec. If this check is accepted, please assign a real test ID and I'll update all references.

What this check validates

Verifies that every Azure Firewall Policy (Standard or Premium) attached to a firewall has at least one application rule in a Deny rule collection that targets web categories.

Azure Firewall's web categories feature classifies websites into groups including Liability (CriminalActivity, Hacking, IllegalSoftware, Malware, Phishing, Violence, etc.). Without deny rules for these categories, users behind the firewall can reach malware distribution sites, phishing pages, and command-and-control infrastructure.

Why this gap matters

The existing Azure Firewall checks cover:

• 25537 — Threat Intelligence in Deny mode (signature-based detection)
• 25539 — IDPS in Deny mode (Premium, intrusion detection)
• 25550 — TLS Inspection enabled (Premium, encrypted traffic visibility)

Web category filtering is a separate defense-in-depth layer — it blocks access to entire categories of known-dangerous sites by URL classification, complementing the signature-based approach of Threat Intel and IDPS. Both Standard and Premium SKUs support it.

Implementation details

Two ARG queries (same pattern as Test-Assessment.25550.ps1):

1. Policy query — Enumerates all microsoft.network/firewallpolicies with Standard/Premium SKU, joined with subscription names
2. Rule query — Queries microsoft.network/firewallpolicies/rulecollectiongroups, uses mvexpand into ruleCollections (filtered to FirewallPolicyFilterRuleCollection with Deny action) → mvexpand into rules (filtered to ApplicationRule where array_length(rule.webCategories) > 0) → extracts distinct policyId

Pass/Fail logic:

• Pass: Every attached firewall policy has ≥1 application rule in a Deny collection targeting web categories
• Fail: One or more attached policies lack web category deny rules
• Skip (NotApplicable): No firewall policies found, or all policies are unattached
• Skip (NotConnectedAzure): Not connected to Azure
• Skip (NotSupported): Non-AzureCloud environment

Report output: Per-policy table with Subscription Name, Firewall Policy Name (portal link), SKU tier, Attached to Firewall, Web Category Deny Rules Found, and Result (✅/❌/⬜).

[ZtTest()] attributes:

Attribute	Value
Category	Azure Network Security
ImplementationCost	Low
Service	Azure
MinimumLicense	Azure_Firewall_Standard, Azure_Firewall_Premium
Pillar	Network
RiskLevel	High
SfiPillar	Protect networks
TenantType	Workforce, External
UserImpact	Low

Files

File	Purpose
src/powershell/tests/Test-Assessment.00000.ps1	Test implementation (196 lines)
src/powershell/tests/Test-Assessment.00000.md	Description with remediation links

What I need from maintainers

1. Test ID assignment — Please assign a spec ID from ztspecs and I'll rename both files and update all internal references
2. Feedback on scope — The current check validates that any web category is in a Deny rule. Should it specifically require Liability-group categories (CriminalActivity, Hacking, Malware, Phishing, etc.), or is blocking any category sufficient?

Testing

• PowerShell parser validates with zero syntax errors
• ARG queries follow the same mvexpand pattern proven in Test-Assessment.25550.ps1
• Follows all coding patterns from existing Network tests (Azure connection check, AzureCloud environment guard, Get-SafeMarkdown, portal links, Add-ZtTestResultDetail with skip reasons)