Azure Firewall Features Testing

[AErmie]

Azure Firewall includes the following features that need to be evaluated and tested. This will influence what will be enabled and configured in the LIVE environment.

• Threat Intelligence
  • Set mode to "Alert and Deny"
  • Add IP address, range, or subnet, and/or FQDNs to the Allow List
  • Q: How will this be tested/confirmed as working?
• TLS Inspection
  • Enable
  • Requires the creation of a Managed Identity, Key Vault, and uploading a CA certificate and private key
  • How will this be tested/confirmed as working?
• IDPS
  • IDPS mode set to "Alert and Deny"
  • Modify existing Signature Rules (as required)
  • Set Private IP Ranges (as required)
  • Create Bypass List (as required)
  • Q: How will this be tested/confirmed as working?
• Private IP Ranges (SNAT)
  • Do we need to change any configurations on this feature?
• Explicit Proxy
  • Will we be using this feature? Note that it is a "preview" feature.

Acceptance Criteria

Generated by Zenhub AI

• [ ] Scenario: Testing Azure Firewall Features
  • Given the Azure Firewall features are implemented and configured
  • When testing each feature individually
  • Then the following tests should be performed:
    1. Threat Intelligence: Confirm that IP addresses, ranges, or subnets, and/or FQDNs added to the Allow List are allowed through the firewall.
    2. TLS Inspection: Enable TLS Inspection and confirm that it is working by testing encrypted traffic flow.
    3. IDPS: Set IDPS mode to "Alert and Deny" and modify Signature Rules, Private IP Ranges, and Bypass List as required. Confirm that the firewall blocks malicious traffic while allowing legitimate traffic.
    4. Private IP Ranges (SNAT): Check if any configurations need to be changed for SNAT and confirm proper functioning of SNAT rules.
    5. Explicit Proxy: If used, test its functionality and compatibility with other features.

[AErmie]

Preliminary Terraform code has been created that is used to create a Firewall Policy resource, along with configuring most of the features listed.

The only feature that has not yet been tested, is the TLS Inspection. This will require the creation of additional resources including a Managed Identity, a Key Vault, and a certificate.

This code can be found in the azure-lz-terraform-modules repo, under /azure_firewall/firewall_policy/ on the fw-policy branch.

[AErmie]

TLS Inspection Update

We now have Terraform code that creates a Managed Identity, a Key Vault, and a IAM Role Assignment (of the User-Assigned Managed Identity on the Key Vault resource).

Additionally, Terraform code has been developed to upload a certificate into the Key Vault.

Challenges

We are experiencing permissions issues that prevent changing the Key Vault from using Access Policies (default), to RBAC. We require Microsoft.Authorization/roleAssignments/write permissions.

[AErmie]

TLS Inspection Update #2

After testing the Azure RBAC permission model for Key Vault, it has been determined that Azure role-based access control (Azure RBAC) is not currently supported for authorization. Use the access policy model instead. See Azure Firewall Premium certificates for more details.

Created a shared module for Azure Key Vault > Access Policy, and confirmed that the Managed Identity only requires Secret: GET permissions. No other permissions (ie. Key / Certificate) are required.

Deployment Workflow

When creating an Azure Firewall Policy, if enabling the TLS Inspection premium feature, the Managed Identity, Key Vault, Key Vault Access Policy (granting the Managed ID access to the Key Vault), and Certificate, are expected to created (before the Policy itself is created).

This means the prescribed creating workflow would be:

• Resource Group > Managed Identity > Key Vault > Key Vault Access Policy > Certificate (upload) > Firewall Policy > Rule Collection Groups / Rules

[AErmie]

Based on the following Microsoft documentation (Deploy and configure Azure Firewall Premium), the following firewall features have been tested:

• TLS Inspection with URL filtering
• Web categories testing