Firewall Policies - Get

Gets the specified Firewall Policy.

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/firewallPolicies/{firewallPolicyName}?api-version=2024-03-01
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/firewallPolicies/{firewallPolicyName}?api-version=2024-03-01&$expand={$expand}

URI Parameters

Name In Required Type Description
firewallPolicyName
path True

string

The name of the Firewall Policy.

resourceGroupName
path True

string

The name of the resource group.

subscriptionId
path True

string

The subscription credentials which uniquely identify the Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.

api-version
query True

string

Client API version.

$expand
query

string

Expands referenced resources.

Responses

Name Type Description
200 OK

FirewallPolicy

Request successful. The operation returns a Firewall Policy resource.

Other Status Codes

CloudError

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Get FirewallPolicy

Sample request

GET https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/firewallPolicy?api-version=2024-03-01

Sample response

{
  "name": "firewallPolicy",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/firewallPolicy",
  "type": "Microsoft.Network/firewallPolicies",
  "etag": "w/\\00000000-0000-0000-0000-000000000000\\",
  "location": "West US",
  "tags": {
    "key1": "value1"
  },
  "properties": {
    "size": "0.5MB",
    "provisioningState": "Succeeded",
    "threatIntelMode": "Alert",
    "threatIntelWhitelist": {
      "ipAddresses": [
        "20.3.4.5"
      ],
      "fqdns": [
        "*.microsoft.com"
      ]
    },
    "ruleCollectionGroups": [
      {
        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/firewallPolicy/ruleCollectionGroups/ruleCollectionGroup1"
      }
    ],
    "insights": {
      "isEnabled": true,
      "retentionDays": 100,
      "logAnalyticsResources": {
        "workspaces": [
          {
            "region": "westus",
            "workspaceId": {
              "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace1"
            }
          },
          {
            "region": "eastus",
            "workspaceId": {
              "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace2"
            }
          }
        ],
        "defaultWorkspaceId": {
          "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/defaultWorkspace"
        }
      }
    },
    "firewalls": [],
    "snat": {
      "privateRanges": [
        "IANAPrivateRanges"
      ]
    },
    "sql": {
      "allowSqlRedirect": true
    },
    "dnsSettings": {
      "servers": [
        "30.3.4.5"
      ],
      "enableProxy": true,
      "requireProxyForNetworkRules": false
    },
    "explicitProxy": {
      "enableExplicitProxy": true,
      "httpPort": 8087,
      "httpsPort": 8087,
      "enablePacFile": true,
      "pacFilePort": 8087,
      "pacFile": "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%3D"
    },
    "sku": {
      "tier": "Premium"
    },
    "intrusionDetection": {
      "mode": "Alert",
      "configuration": {
        "signatureOverrides": [
          {
            "id": "2525004",
            "mode": "Deny"
          }
        ],
        "bypassTrafficSettings": [
          {
            "name": "bypassRule1",
            "description": "Rule 1",
            "protocol": "TCP",
            "sourceAddresses": [
              "1.2.3.4"
            ],
            "destinationAddresses": [
              "5.6.7.8"
            ],
            "destinationPorts": [
              "*"
            ]
          }
        ]
      }
    },
    "transportSecurity": {
      "certificateAuthority": {
        "name": "clientcert",
        "keyVaultSecretId": "https://kv/secret"
      }
    }
  }
}

Definitions

Name Description
AutoLearnPrivateRangesMode

The operation mode for automatically learning private ranges to not be SNAT

AzureFirewallThreatIntelMode

The operation mode for Threat Intel.

CloudError

An error response from the service.

CloudErrorBody

An error response from the service.

DnsSettings

DNS Proxy Settings in Firewall Policy.

ExplicitProxy

Explicit Proxy Settings in Firewall Policy.

FirewallPolicy

FirewallPolicy Resource.

FirewallPolicyCertificateAuthority

Trusted Root certificates properties for tls.

FirewallPolicyInsights

Firewall Policy Insights.

FirewallPolicyIntrusionDetection

Configuration for intrusion detection mode and rules.

FirewallPolicyIntrusionDetectionBypassTrafficSpecifications

Intrusion detection bypass traffic specification.

FirewallPolicyIntrusionDetectionConfiguration

The operation for configuring intrusion detection.

FirewallPolicyIntrusionDetectionProfileType

IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy.

FirewallPolicyIntrusionDetectionProtocol

The rule bypass protocol.

FirewallPolicyIntrusionDetectionSignatureSpecification

Intrusion detection signatures specification states.

FirewallPolicyIntrusionDetectionStateType

Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two.

FirewallPolicyLogAnalyticsResources

Log Analytics Resources for Firewall Policy Insights.

FirewallPolicyLogAnalyticsWorkspace

Log Analytics Workspace for Firewall Policy Insights.

FirewallPolicySku

SKU of Firewall policy.

FirewallPolicySkuTier

Tier of Firewall Policy.

FirewallPolicySNAT

The private IP addresses/IP ranges to which traffic will not be SNAT.

FirewallPolicySQL

SQL Settings in Firewall Policy.

FirewallPolicyThreatIntelWhitelist

ThreatIntel Whitelist for Firewall Policy.

FirewallPolicyTransportSecurity

Configuration needed to perform TLS termination & initiation.

ManagedServiceIdentity

Identity for the resource.

ProvisioningState

The current provisioning state.

ResourceIdentityType

The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.

SubResource

Reference to another subresource.

UserAssignedIdentities

The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

AutoLearnPrivateRangesMode

The operation mode for automatically learning private ranges to not be SNAT

Name Type Description
Disabled

string

Enabled

string

AzureFirewallThreatIntelMode

The operation mode for Threat Intel.

Name Type Description
Alert

string

Deny

string

Off

string

CloudError

An error response from the service.

Name Type Description
error

CloudErrorBody

Cloud error body.

CloudErrorBody

An error response from the service.

Name Type Description
code

string

An identifier for the error. Codes are invariant and are intended to be consumed programmatically.

details

CloudErrorBody[]

A list of additional details about the error.

message

string

A message describing the error, intended to be suitable for display in a user interface.

target

string

The target of the particular error. For example, the name of the property in error.

DnsSettings

DNS Proxy Settings in Firewall Policy.

Name Type Description
enableProxy

boolean

Enable DNS Proxy on Firewalls attached to the Firewall Policy.

requireProxyForNetworkRules

boolean

FQDNs in Network Rules are supported when set to true.

servers

string[]

List of Custom DNS Servers.

ExplicitProxy

Explicit Proxy Settings in Firewall Policy.

Name Type Description
enableExplicitProxy

boolean

When set to true, explicit proxy mode is enabled.

enablePacFile

boolean

When set to true, pac file port and url needs to be provided.

httpPort

integer

Port number for explicit proxy http protocol, cannot be greater than 64000.

httpsPort

integer

Port number for explicit proxy https protocol, cannot be greater than 64000.

pacFile

string

SAS URL for PAC file.

pacFilePort

integer

Port number for firewall to serve PAC file.

FirewallPolicy

FirewallPolicy Resource.

Name Type Description
etag

string

A unique read-only string that changes whenever the resource is updated.

id

string

Resource ID.

identity

ManagedServiceIdentity

The identity of the firewall policy.

location

string

Resource location.

name

string

Resource name.

properties.basePolicy

SubResource

The parent firewall policy from which rules are inherited.

properties.childPolicies

SubResource[]

List of references to Child Firewall Policies.

properties.dnsSettings

DnsSettings

DNS Proxy Settings definition.

properties.explicitProxy

ExplicitProxy

Explicit Proxy Settings definition.

properties.firewalls

SubResource[]

List of references to Azure Firewalls that this Firewall Policy is associated with.

properties.insights

FirewallPolicyInsights

Insights on Firewall Policy.

properties.intrusionDetection

FirewallPolicyIntrusionDetection

The configuration for Intrusion detection.

properties.provisioningState

ProvisioningState

The provisioning state of the firewall policy resource.

properties.ruleCollectionGroups

SubResource[]

List of references to FirewallPolicyRuleCollectionGroups.

properties.size

string

A read-only string that represents the size of the FirewallPolicyPropertiesFormat in MB. (ex 0.5MB)

properties.sku

FirewallPolicySku

The Firewall Policy SKU.

properties.snat

FirewallPolicySNAT

The private IP addresses/IP ranges to which traffic will not be SNAT.

properties.sql

FirewallPolicySQL

SQL Settings definition.

properties.threatIntelMode

AzureFirewallThreatIntelMode

The operation mode for Threat Intelligence.

properties.threatIntelWhitelist

FirewallPolicyThreatIntelWhitelist

ThreatIntel Whitelist for Firewall Policy.

properties.transportSecurity

FirewallPolicyTransportSecurity

TLS Configuration definition.

tags

object

Resource tags.

type

string

Resource type.

FirewallPolicyCertificateAuthority

Trusted Root certificates properties for tls.

Name Type Description
keyVaultSecretId

string

Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault.

name

string

Name of the CA certificate.

FirewallPolicyInsights

Firewall Policy Insights.

Name Type Description
isEnabled

boolean

A flag to indicate if the insights are enabled on the policy.

logAnalyticsResources

FirewallPolicyLogAnalyticsResources

Workspaces needed to configure the Firewall Policy Insights.

retentionDays

integer

Number of days the insights should be enabled on the policy.

FirewallPolicyIntrusionDetection

Configuration for intrusion detection mode and rules.

Name Type Description
configuration

FirewallPolicyIntrusionDetectionConfiguration

Intrusion detection configuration properties.

mode

FirewallPolicyIntrusionDetectionStateType

Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two.

profile

FirewallPolicyIntrusionDetectionProfileType

IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy.

FirewallPolicyIntrusionDetectionBypassTrafficSpecifications

Intrusion detection bypass traffic specification.

Name Type Description
description

string

Description of the bypass traffic rule.

destinationAddresses

string[]

List of destination IP addresses or ranges for this rule.

destinationIpGroups

string[]

List of destination IpGroups for this rule.

destinationPorts

string[]

List of destination ports or ranges.

name

string

Name of the bypass traffic rule.

protocol

FirewallPolicyIntrusionDetectionProtocol

The rule bypass protocol.

sourceAddresses

string[]

List of source IP addresses or ranges for this rule.

sourceIpGroups

string[]

List of source IpGroups for this rule.

FirewallPolicyIntrusionDetectionConfiguration

The operation for configuring intrusion detection.

Name Type Description
bypassTrafficSettings

FirewallPolicyIntrusionDetectionBypassTrafficSpecifications[]

List of rules for traffic to bypass.

privateRanges

string[]

IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property

signatureOverrides

FirewallPolicyIntrusionDetectionSignatureSpecification[]

List of specific signatures states.

FirewallPolicyIntrusionDetectionProfileType

IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy.

Name Type Description
Advanced

string

Basic

string

Extended

string

Standard

string

FirewallPolicyIntrusionDetectionProtocol

The rule bypass protocol.

Name Type Description
ANY

string

ICMP

string

TCP

string

UDP

string

FirewallPolicyIntrusionDetectionSignatureSpecification

Intrusion detection signatures specification states.

Name Type Description
id

string

Signature id.

mode

FirewallPolicyIntrusionDetectionStateType

The signature state.

FirewallPolicyIntrusionDetectionStateType

Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two.

Name Type Description
Alert

string

Deny

string

Off

string

FirewallPolicyLogAnalyticsResources

Log Analytics Resources for Firewall Policy Insights.

Name Type Description
defaultWorkspaceId

SubResource

The default workspace Id for Firewall Policy Insights.

workspaces

FirewallPolicyLogAnalyticsWorkspace[]

List of workspaces for Firewall Policy Insights.

FirewallPolicyLogAnalyticsWorkspace

Log Analytics Workspace for Firewall Policy Insights.

Name Type Description
region

string

Region to configure the Workspace.

workspaceId

SubResource

The workspace Id for Firewall Policy Insights.

FirewallPolicySku

SKU of Firewall policy.

Name Type Description
tier

FirewallPolicySkuTier

Tier of Firewall Policy.

FirewallPolicySkuTier

Tier of Firewall Policy.

Name Type Description
Basic

string

Premium

string

Standard

string

FirewallPolicySNAT

The private IP addresses/IP ranges to which traffic will not be SNAT.

Name Type Description
autoLearnPrivateRanges

AutoLearnPrivateRangesMode

The operation mode for automatically learning private ranges to not be SNAT

privateRanges

string[]

List of private IP addresses/IP address ranges to not be SNAT.

FirewallPolicySQL

SQL Settings in Firewall Policy.

Name Type Description
allowSqlRedirect

boolean

A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999.

FirewallPolicyThreatIntelWhitelist

ThreatIntel Whitelist for Firewall Policy.

Name Type Description
fqdns

string[]

List of FQDNs for the ThreatIntel Whitelist.

ipAddresses

string[]

List of IP addresses for the ThreatIntel Whitelist.

FirewallPolicyTransportSecurity

Configuration needed to perform TLS termination & initiation.

Name Type Description
certificateAuthority

FirewallPolicyCertificateAuthority

The CA used for intermediate CA generation.

ManagedServiceIdentity

Identity for the resource.

Name Type Description
principalId

string

The principal id of the system assigned identity. This property will only be provided for a system assigned identity.

tenantId

string

The tenant id of the system assigned identity. This property will only be provided for a system assigned identity.

type

ResourceIdentityType

The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.

userAssignedIdentities

UserAssignedIdentities

The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

ProvisioningState

The current provisioning state.

Name Type Description
Deleting

string

Failed

string

Succeeded

string

Updating

string

ResourceIdentityType

The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.

Name Type Description
None

string

SystemAssigned

string

SystemAssigned, UserAssigned

string

UserAssigned

string

SubResource

Reference to another subresource.

Name Type Description
id

string

Resource ID.

UserAssignedIdentities

The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

Name Type Description