- 10 minutes to read
Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments, such as the payment and healthcare industries.
Organizations can use Premium stock-keeping unit (SKU) features like IDPS and TLS inspection to prevent malware and viruses from spreading across networks in both lateral and horizontal directions. To meet the increased performance demands of IDPS and TLS inspection, Azure Firewall Premium uses a more powerful virtual machine SKU. Like the Standard SKU, the Premium SKU can seamlessly scale up to 30 Gbps and integrate with availability zones to support the service level agreement (SLA) of 99.99 percent. The Premium SKU complies with Payment Card Industry Data Security Standard (PCI DSS) environment needs.
Azure Firewall Premium includes the following features:
- TLS inspection - decrypts outbound traffic, processes the data, then encrypts the data and sends it to the destination.
- IDPS - A network intrusion detection and prevention system (IDPS) allows you to monitor network activities for malicious activity, log information about this activity, report it, and optionally attempt to block it.
- URL filtering - extends Azure Firewall’s FQDN filtering capability to consider an entire URL along with any additional path. For example,
- Web categories - administrators can allow or deny user access to website categories such as gambling websites, social media websites, and others.
The TLS (Transport Layer Security) protocol primarily provides cryptography for privacy, integrity, and authenticity using certificates between two or more communicating applications. It runs in the application layer and is widely used to encrypt the HTTP protocol.
Encrypted traffic has a possible security risk and can hide illegal user activity and malicious traffic. Azure Firewall without TLS inspection (as shown in the following diagram) has no visibility into the data that flows in the encrypted TLS tunnel, and so can't provide a full protection coverage.
The second diagram shows how Azure Firewall Premium terminates and inspects TLS connections to detect, alert, and mitigate malicious activity in HTTPS. The firewall actually creates two dedicated TLS connections: one with the Web Server (contoso.com) and another connection with the client. Using the customer provided CA certificate, it generates an on-the-fly certificate, which replaces the Web Server certificate and shares it with the client to establish the TLS connection between the firewall and the client.
Azure Firewall without TLS inspection:
Azure Firewall with TLS inspection:
The following use cases are supported with Azure Firewall:
Outbound TLS Inspection
To protect against malicious traffic that is sent from an internal client hosted in Azure to the Internet.
East-West TLS Inspection (includes traffic that goes from/to an on-premises network)
To protect your Azure workloads from potential malicious traffic sent from within Azure.
The following use case is supported by Azure Web Application Firewall on Azure Application Gateway:
Inbound TLS Inspection
To protect internal servers or applications hosted in Azure from malicious requests that arrive from the Internet or an external network. Application Gateway provides end-to-end encryption.
TLS 1.0 and 1.1 are being deprecated and won’t be supported. TLS 1.0 and 1.1 versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable, and while they still currently work to allow backwards compatibility, they aren't recommended. Migrate to TLS 1.2 as soon as possible.
To learn more about Azure Firewall Premium Intermediate CA certificate requirements, see Azure Firewall Premium certificates.
A network intrusion detection and prevention system (IDPS) allows you to monitor your network for malicious activity, log information about this activity, report it, and optionally attempt to block it.
Azure Firewall Premium provides signature-based IDPS to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. The IDPS signatures are applicable for both application and network level traffic (Layers 3-7), they're fully managed, and continuously updated. IDPS can be applied to inbound, spoke-to-spoke (East-West), and outbound traffic. Spoke-to-spoke (East-West) includes traffic that goes from/to an on-premises network. You can configure your IDPS private IP address ranges using the Private IP ranges preview feature. For more information, see IDPS Private IP ranges.
The Azure Firewall signatures/rulesets include:
- An emphasis on fingerprinting actual malware, Command and Control, exploit kits, and in the wild malicious activity missed by traditional prevention methods.
- Over 58,000 rules in over 50 categories.
- The categories include malware command and control, phishing, trojans, botnets, informational events, exploits, vulnerabilities, SCADA network protocols, exploit kit activity, and more.
- 20 to 40+ new rules are released each day.
- Low false positive rating by using state-of-the-art malware detection techniques such as global sensor network feedback loop.
IDPS allows you to detect attacks in all ports and protocols for non-encrypted traffic. However, when HTTPS traffic needs to be inspected, Azure Firewall can use its TLS inspection capability to decrypt the traffic and better detect malicious activities.
The IDPS Bypass List allows you to not filter traffic to any of the IP addresses, ranges, and subnets specified in the bypass list.
IDPS Private IP ranges
In Azure Firewall Premium IDPS, private IP address ranges are used to identify if traffic is inbound, outbound, or internal (East-West). Each signature is applied on specific traffic direction, as indicated in the signature rules table. By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. So traffic sent from a private IP address range to a private IP address range is considered internal. To modify your private IP addresses, you can now easily edit, remove, or add ranges as needed.
IDPS signature rules
IDPS signature rules allow you to:
Customize one or more signatures and change their mode to Disabled, Alert or Alert and Deny.
For example, if you receive a false positive where a legitimate request is blocked by Azure Firewall due to a faulty signature, you can use the signature ID from the network rules logs, and set its IDPS mode to off. This causes the "faulty" signature to be ignored and resolves the false positive issue.
You can apply the same fine-tuning procedure for signatures that are creating too many low-priority alerts, and therefore interfering with visibility for high-priority alerts.
Get a holistic view of the entire 55,000 signatures(Video) Episode 19 Azure Firewall Premium - Demo and New Features!
Allows you to search through the entire signatures database by any type of attribute. For example, you can search for specific CVE-ID to discovered what signatures are taking care of this CVE by typing the ID in the search bar.
IDPS signature rules have the following properties:
|Signature ID||Internal ID for each signature. This ID is also presented in Azure Firewall Network Rules logs.|
|Mode||Indicates if the signature is active or not, and whether firewall will drop or alert upon matched traffic. The below signature mode can override IDPS mode|
- Disabled: The signature isn't enabled on your firewall.
- Alert: You'll receive alerts when suspicious traffic is detected.
- Alert and Deny: You'll receive alerts and suspicious traffic will be blocked. Few signature categories are defined as “Alert Only”, therefore by default, traffic matching their signatures won't be blocked even though IDPS mode is set to “Alert and Deny”. Customers may override this by customizing these specific signatures to “Alert and Deny” mode.
Note: IDPS alerts are available in the portal via network rule log query.
|Severity||Each signature has an associated severity level and assigned priority that indicates the probability that the signature is an actual attack.|
- Low (priority 3): An abnormal event is one that doesn't normally occur on a network or Informational events are logged. Probability of attack is low.
- Medium (priority 2): The signature indicates an attack of a suspicious nature. The administrator should investigate further.
- High (priority 1): The attack signatures indicate that an attack of a severe nature is being launched. There's little probability that the packets have a legitimate purpose.
|Direction||The traffic direction for which the signature is applied.|
- Inbound: Signature is applied only on traffic arriving from the Internet and destined to your configured private IP address range.
- Outbound: Signature is applied only on traffic sent from your configured private IP address range to the Internet.
- Bidirectional: Signature is always applied on any traffic direction.
|Group||The group name that the signature belongs to.|
|Description||Structured from the following three parts:|
- Category name: The category name that the signature belongs to as described in Azure Firewall IDPS signature rule categories.
- High level description of the signature
- CVE-ID (optional) in the case where the signature is associated with a specific CVE. The ID is listed here.
|Protocol||The protocol associated with this signature.|
|Source/Destination Ports||The ports associated with this signature.|
|Last updated||The last date that this signature was introduced or modified.|
URL filtering extends Azure Firewall’s FQDN filtering capability to consider an entire URL. For example,
www.contoso.com/a/c instead of
URL Filtering can be applied both on HTTP and HTTPS traffic. When HTTPS traffic is inspected, Azure Firewall Premium can use its TLS inspection capability to decrypt the traffic and extract the target URL to validate whether access is permitted. TLS inspection requires opt-in at the application rule level. Once enabled, you can use URLs for filtering with HTTPS.
Web categories lets administrators allow or deny user access to web site categories such as gambling websites, social media websites, and others. Web categories will also be included in Azure Firewall Standard, but it will be more fine-tuned in Azure Firewall Premium. As opposed to the Web categories capability in the Standard SKU that matches the category based on an FQDN, the Premium SKU matches the category according to the entire URL for both HTTP and HTTPS traffic.
For example, if Azure Firewall intercepts an HTTPS request for
www.google.com/news, the following categorization is expected:
Firewall Standard – only the FQDN part will be examined, so
www.google.comwill be categorized as Search Engine.
Firewall Premium – the complete URL will be examined, so
www.google.com/newswill be categorized as News.
The categories are organized based on severity under Liability, High-Bandwidth, Business Use, Productivity Loss, General Surfing, and Uncategorized. For a detailed description of the web categories, see Azure Firewall web categories.
Web category logging
You can view traffic that has been filtered by Web categories in the Application logs. Web categories field is only displayed if it has been explicitly configured in your firewall policy application rules. For example, if you don't have a rule that explicitly denies Search Engines, and a user requests to go to www.bing.com, only a default deny message is displayed as opposed to a Web categories message. This is because the web category wasn't explicitly configured.
You can create exceptions to your web category rules. Create a separate allow or deny rule collection with a higher priority within the rule collection group. For example, you can configure a rule collection that allows
www.linkedin.com with priority 100, with a rule collection that denies Social networking with priority 200. This creates the exception for the pre-defined Social networking web category.
Web category search
You can identify what category a given FQDN or URL is by using the Web Category Check feature. To use this, select the Web Categories tab under Firewall Policy Settings. This is useful when defining your application rules for destination traffic.
To use Web Category Check feature, user has to have an access of Microsoft.Network/azureWebCategories/getwebcategory/action for subscription level, not resource group level.
Under the Web Categories tab in Firewall Policy Settings, you can request a category change if you:
think an FQDN or URL should be under a different category
have a suggested category for an uncategorized FQDN or URL
Once you submit a category change report, you'll be given a token in the notifications that indicate that we've received the request for processing. You can check whether the request is in progress, denied, or approved by entering the token in the search bar. Be sure to save your token ID to do so.
For the supported regions for Azure Firewall, see Azure products available by region.
- Learn about Azure Firewall Premium certificates
- Deploy and configure Azure Firewall Premium
- Migrate to Azure Firewall Premium
Azure Firewall Premium provides signature-based IDPS to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware.Is Azure firewall good enough? ›
Azure Firewall is constantly and thoroughly analyzing all traffic and data packets, making it a very valuable and secure fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.Which feature is available only when using an Azure AD premium P2 or higher license? ›
Azure Active Directory Premium P2 includes every feature of all other Azure Active Directory editions enhanced with advanced identity protection and privileged identity management capabilities.What is difference between standard and premium disk in Azure? ›
The Premium tier stores data on modern solid state drives (SSDs), while the Standard tier uses hard disk drives (HDDs). Premium Azure storage is appropriate for virtual machines and workloads that need low latency and high I/O performance, for example transactional databases or big data systems.What are the 3 important services offered by Azure? ›
This gives users the flexibility to use their preferred tools and technologies. In addition, Azure offers four different forms of cloud computing: infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) and serverless functions.Which two types of resources can be protected by Azure firewall? ›
Azure Firewall is a managed, cloud network security service. This stateful firewall service deploys on any virtual network and protects Azure Virtual Network (VNet) resources by filtering both network and application-level traffic.What is the biggest problem with a firewall? ›
Failure to Activate Controls
One of the most common firewall issues businesses face is related to controls that might not be appropriately activated. For instance, you probably have anti-spoofing tools on your managed defense system that are designed to keep malware, spam, and other deceptive traffic away.
Below are some of the important advantages of using firewalls. It provides enhanced security and privacy from vulnerable services. It prevents unauthorized users from accessing a private network that is connected to the internet. Firewalls provide faster response time and can handle more traffic loads.What is Firewall and its features? ›
A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.How many types of Azure Firewall are there? ›
There are three kinds of rules that you can configure in the Azure Firewall.
Azure AD Premium P1—provides all Free features, and additional features including hybrid implementation (on-premise users able to access cloud resources and vice versa), self-service group management, dynamic groups, Microsoft Identity Manager, and self service reset for all users.What's the difference between Azure AD Premium P1 vs P2? ›
Azure AD Premium P1 and Azure AD Premium P2 are the licenses that cater to organizations' advanced identity protection requirements. AAD Premium Plan 2 has all the features of P1; however, it does add more security features, namely: Vulnerabilities and risky accounts detection. Privileged Identity Management (PIM)Can we change standard disk to premium disk in Azure? ›
You can switch between premium SSD, standard SSD, and standard HDD based on your performance needs. You are not yet able to switch from or to an ultra disk, you must deploy a new one. This functionality is not supported for unmanaged disks.How do I change Azure disk from premium to standard? ›
In the pane for the VM, select Disks from the menu. Select the disk that you want to convert. Select Size + performance from the menu. Change the Account type from the original disk type to the desired disk type.Which feature is provided only with Microsoft Azure Active Directory Premium? ›
Azure AD Premium P2—provides all P1 features, and additional features including Azure AD Identity Protection, Privileged Identity Management (PAM), advanced monitoring and reporting, access reviews, and entitlement management.What are the different features of Azure policy? ›
Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Policy definitions for these common use cases are already available in your Azure environment as built-ins to help you get started.Which Azure Firewall Manager features are only supported in virtual hub deployments? ›
Centralized route management
This feature is available only with secured virtual hub deployments.
Azure DDoS Protection offers two tiers – IP Protection and Network Protection – to meet your security and cost needs.What are the three main features of Active Directory? ›
The Active Directory structure is comprised of three main components: domains, trees, and forests. Several objects, like users or devices that use the same AD database, can be grouped into a single domain. Domains have a domain name system (DNS) structure.What are the two features that Azure AD provides? ›
Azure Active Directory (Azure AD), part of Microsoft Entra, is an enterprise identity service that provides single sign-on, multifactor authentication, and conditional access to guard against 99.9 percent of cybersecurity attacks.
Currently, Azure Firewall policy support two kinds of rule collections which are Filter collection and NAT collection. There are three kinds of rules which are application rule, network rule and nat rule.Do I need NSG with Azure firewall? ›
Azure Firewall and NSG are Often Used Together
While there are some overlapping functionalities, many use cases require both services. NSG can be used to segregate subnets for different departments and allow access to a management subnet for monitoring and sharing resources like domain controller and file server.
A public cloud computing platform, Microsoft Azure offers infrastructure as a service (IaaS), software as a service (SaaS), platform as a service (PaaS), and a serverless model.What are 2 known types of DoS layer attacks? ›
There are two general methods of DoS attacks: flooding services or crashing services. Flood attacks occur when the system receives too much traffic for the server to buffer, causing them to slow down and eventually stop. Popular flood attacks include: Buffer overflow attacks – the most common DoS attack.