Azure Firewall Premium was released recently into Public Preview. Many great features were released with it like IDPS, Web Categories, and TLS Inspection among them. I wanted to try and get some Azure Firewall Premium rule samples out to explore and that might be useful in Enterprises.
GitHub Azure Network Security - Azure Firewall - Repo
One of these rules is allowing for your WVD Host Pool, Jump boxes, or Servers to utilize DNS over HTTPS. In this example below I am using Chrome Browser with modified settings to do so.
To being with I am creating a application rule in a rule collection group to Allow at priority 400 for URL htb.com with TLS inspection.
The firewall rule as code so far looks like this
{
"type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups",
"apiVersion": "2020-05-01",
"name": "[concat(parameters('firewallPolicies_DemoFirewallPolicy_name'), '/DefaultApplicationRuleCollectionGroup')]",
"location": "eastus",
"dependsOn": [
"[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicies_DemoFirewallPolicy_name'))]"
],
"properties": {
"priority": 300,
"ruleCollections": [
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"action": {
"type": "Allow"
},
"rules": [
{
"ruleType": "ApplicationRule",
"name": "HTBAllow",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"fqdnTags": [],
"targetFqdns": [],
"targetUrls": [
"htb.com"
],
"terminateTLS": true,
"sourceAddresses": [
"*"
],
"destinationAddresses": [],
"sourceIpGroups": []
}
],
"name": "HTB",
"priority": 400
}
]
}
},
With the rule in play when we visit htb.com we receive the following error because we are trying to use DNS over HTTPS.
Switching over to the Diagnostic logs we can run the following query to investigate further.
We can see that a HTTPS call to dns.google.com over 443 was denied by default.
In testing I added dns.google to allow but still got a denied log result on a specific URL dns.com/dns-query
To allow this we will add a new rule within the collection in a earlier priority to allow communication to HTTPS DNS responder.
With the new rule in play the chrome browser can now query dns.google/dns-query and get an ip address back to then go to the website https://htb.com
If we look over in the logs we can use a parse and get some results back
AzureDiagnostics
| where Category == "AzureFirewallApplicationRule"
| where TimeGenerated >= ago(5m)
| where msg_s !contains "Deny"
| parse msg_s with * "from " srcip ":" srcport " to " dsturl ":" dstport ". Action: " action "." *
| sort by TimeGenerated desc
Check out the rule sample and others at
Feel free to make pull requests to add your Azure Firewall Premium Samples. What are your examples the community could use or learn from ?