Firewall Policy Drafts - Create Or Update

Create or update a draft Firewall Policy.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/firewallPolicies/{firewallPolicyName}/firewallPolicyDrafts/default?api-version=2024-03-01

URI Parameters

Name In Required Type Description
firewallPolicyName
path True

string

The name of the Firewall Policy.

Regex pattern: ^[^_\W][\w-._]{0,79}(?<![-.])$

resourceGroupName
path True

string

The name of the resource group.

subscriptionId
path True

string

The subscription credentials which uniquely identify the Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.

api-version
query True

string

Client API version.

Request Body

Name Type Description
id

string

Resource ID.

location

string

Resource location.

properties.basePolicy

SubResource

The parent firewall policy from which rules are inherited.

properties.dnsSettings

DnsSettings

DNS Proxy Settings definition.

properties.explicitProxy

ExplicitProxy

Explicit Proxy Settings definition.

properties.insights

FirewallPolicyInsights

Insights on Firewall Policy.

properties.intrusionDetection

FirewallPolicyIntrusionDetection

The configuration for Intrusion detection.

properties.snat

FirewallPolicySNAT

The private IP addresses/IP ranges to which traffic will not be SNAT.

properties.sql

FirewallPolicySQL

SQL Settings definition.

properties.threatIntelMode

AzureFirewallThreatIntelMode

The operation mode for Threat Intelligence.

properties.threatIntelWhitelist

FirewallPolicyThreatIntelWhitelist

ThreatIntel Whitelist for Firewall Policy.

tags

object

Resource tags.

Responses

Name Type Description
200 OK

FirewallPolicyDraft

OK

201 Created

FirewallPolicyDraft

Created

Other Status Codes

CloudError

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

create or update firewall policy draft

Sample request

PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/firewallPolicy/firewallPolicyDrafts/default?api-version=2024-03-01

{
  "properties": {
    "threatIntelMode": "Alert",
    "threatIntelWhitelist": {
      "ipAddresses": [
        "20.3.4.5"
      ],
      "fqdns": [
        "*.microsoft.com"
      ]
    },
    "insights": {
      "isEnabled": true,
      "retentionDays": 100,
      "logAnalyticsResources": {
        "workspaces": [
          {
            "region": "westus",
            "workspaceId": {
              "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace1"
            }
          },
          {
            "region": "eastus",
            "workspaceId": {
              "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace2"
            }
          }
        ],
        "defaultWorkspaceId": {
          "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/defaultWorkspace"
        }
      }
    },
    "snat": {
      "privateRanges": [
        "IANAPrivateRanges"
      ]
    },
    "sql": {
      "allowSqlRedirect": true
    },
    "dnsSettings": {
      "servers": [
        "30.3.4.5"
      ],
      "enableProxy": true,
      "requireProxyForNetworkRules": false
    },
    "explicitProxy": {
      "enableExplicitProxy": true,
      "httpPort": 8087,
      "httpsPort": 8087,
      "enablePacFile": true,
      "pacFilePort": 8087,
      "pacFile": "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%3D"
    },
    "intrusionDetection": {
      "mode": "Alert",
      "profile": "Balanced",
      "configuration": {
        "signatureOverrides": [
          {
            "id": "2525004",
            "mode": "Deny"
          }
        ],
        "bypassTrafficSettings": [
          {
            "name": "bypassRule1",
            "description": "Rule 1",
            "protocol": "TCP",
            "sourceAddresses": [
              "1.2.3.4"
            ],
            "destinationAddresses": [
              "5.6.7.8"
            ],
            "destinationPorts": [
              "*"
            ]
          }
        ]
      }
    }
  }
}

Sample response

{
  "name": "firewallPolicy",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/firewallPolicy",
  "type": "Microsoft.Network/firewallPolicies",
  "properties": {
    "threatIntelMode": "Alert",
    "threatIntelWhitelist": {
      "ipAddresses": [
        "20.3.4.5"
      ],
      "fqdns": [
        "*.microsoft.com"
      ]
    },
    "insights": {
      "isEnabled": true,
      "retentionDays": 100,
      "logAnalyticsResources": {
        "workspaces": [
          {
            "region": "westus",
            "workspaceId": {
              "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace1"
            }
          },
          {
            "region": "eastus",
            "workspaceId": {
              "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace2"
            }
          }
        ],
        "defaultWorkspaceId": {
          "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/defaultWorkspace"
        }
      }
    },
    "snat": {
      "privateRanges": [
        "IANAPrivateRanges"
      ]
    },
    "sql": {
      "allowSqlRedirect": true
    },
    "dnsSettings": {
      "servers": [
        "30.3.4.5"
      ],
      "enableProxy": true,
      "requireProxyForNetworkRules": false
    },
    "explicitProxy": {
      "enableExplicitProxy": true,
      "httpPort": 8087,
      "httpsPort": 8087,
      "enablePacFile": true,
      "pacFilePort": 8087,
      "pacFile": "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%3D"
    },
    "intrusionDetection": {
      "mode": "Alert",
      "profile": "Balanced",
      "configuration": {
        "signatureOverrides": [
          {
            "id": "2525004",
            "mode": "Deny"
          }
        ],
        "bypassTrafficSettings": [
          {
            "name": "bypassRule1",
            "description": "Rule 1",
            "protocol": "TCP",
            "sourceAddresses": [
              "1.2.3.4"
            ],
            "destinationAddresses": [
              "5.6.7.8"
            ],
            "destinationPorts": [
              "*"
            ]
          }
        ]
      }
    }
  }
}
{
  "name": "firewallPolicy",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/firewallPolicies/firewallPolicy",
  "type": "Microsoft.Network/firewallPolicies",
  "properties": {
    "threatIntelMode": "Alert",
    "threatIntelWhitelist": {
      "ipAddresses": [
        "20.3.4.5"
      ],
      "fqdns": [
        "*.microsoft.com"
      ]
    },
    "insights": {
      "isEnabled": true,
      "retentionDays": 100,
      "logAnalyticsResources": {
        "workspaces": [
          {
            "region": "westus",
            "workspaceId": {
              "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace1"
            }
          },
          {
            "region": "eastus",
            "workspaceId": {
              "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/workspace2"
            }
          }
        ],
        "defaultWorkspaceId": {
          "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.operationalinsights/workspaces/defaultWorkspace"
        }
      }
    },
    "snat": {
      "privateRanges": [
        "IANAPrivateRanges"
      ]
    },
    "sql": {
      "allowSqlRedirect": true
    },
    "dnsSettings": {
      "servers": [
        "30.3.4.5"
      ],
      "enableProxy": true,
      "requireProxyForNetworkRules": false
    },
    "explicitProxy": {
      "enableExplicitProxy": true,
      "httpPort": 8087,
      "httpsPort": 8087,
      "enablePacFile": true,
      "pacFilePort": 8087,
      "pacFile": "https://tinawstorage.file.core.windows.net/?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacuptfx&se=2021-06-04T07:01:12Z&st=2021-06-03T23:01:12Z&sip=68.65.171.11&spr=https&sig=Plsa0RRVpGbY0IETZZOT6znOHcSro71LLTTbzquYPgs%3D"
    },
    "intrusionDetection": {
      "mode": "Alert",
      "profile": "Balanced",
      "configuration": {
        "signatureOverrides": [
          {
            "id": "2525004",
            "mode": "Deny"
          }
        ],
        "bypassTrafficSettings": [
          {
            "name": "bypassRule1",
            "description": "Rule 1",
            "protocol": "TCP",
            "sourceAddresses": [
              "1.2.3.4"
            ],
            "destinationAddresses": [
              "5.6.7.8"
            ],
            "destinationPorts": [
              "*"
            ]
          }
        ]
      }
    }
  }
}

Definitions

Name Description
AutoLearnPrivateRangesMode

The operation mode for automatically learning private ranges to not be SNAT

AzureFirewallThreatIntelMode

The operation mode for Threat Intel.

CloudError

An error response from the service.

CloudErrorBody

An error response from the service.

DnsSettings

DNS Proxy Settings in Firewall Policy.

ExplicitProxy

Explicit Proxy Settings in Firewall Policy.

FirewallPolicyDraft

FirewallPolicy Resource.

FirewallPolicyInsights

Firewall Policy Insights.

FirewallPolicyIntrusionDetection

Configuration for intrusion detection mode and rules.

FirewallPolicyIntrusionDetectionBypassTrafficSpecifications

Intrusion detection bypass traffic specification.

FirewallPolicyIntrusionDetectionConfiguration

The operation for configuring intrusion detection.

FirewallPolicyIntrusionDetectionProfileType

IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy.

FirewallPolicyIntrusionDetectionProtocol

The rule bypass protocol.

FirewallPolicyIntrusionDetectionSignatureSpecification

Intrusion detection signatures specification states.

FirewallPolicyIntrusionDetectionStateType

Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two.

FirewallPolicyLogAnalyticsResources

Log Analytics Resources for Firewall Policy Insights.

FirewallPolicyLogAnalyticsWorkspace

Log Analytics Workspace for Firewall Policy Insights.

FirewallPolicySNAT

The private IP addresses/IP ranges to which traffic will not be SNAT.

FirewallPolicySQL

SQL Settings in Firewall Policy.

FirewallPolicyThreatIntelWhitelist

ThreatIntel Whitelist for Firewall Policy.

SubResource

Reference to another subresource.

AutoLearnPrivateRangesMode

The operation mode for automatically learning private ranges to not be SNAT

Name Type Description
Disabled

string

Enabled

string

AzureFirewallThreatIntelMode

The operation mode for Threat Intel.

Name Type Description
Alert

string

Deny

string

Off

string

CloudError

An error response from the service.

Name Type Description
error

CloudErrorBody

Cloud error body.

CloudErrorBody

An error response from the service.

Name Type Description
code

string

An identifier for the error. Codes are invariant and are intended to be consumed programmatically.

details

CloudErrorBody[]

A list of additional details about the error.

message

string

A message describing the error, intended to be suitable for display in a user interface.

target

string

The target of the particular error. For example, the name of the property in error.

DnsSettings

DNS Proxy Settings in Firewall Policy.

Name Type Description
enableProxy

boolean

Enable DNS Proxy on Firewalls attached to the Firewall Policy.

requireProxyForNetworkRules

boolean

FQDNs in Network Rules are supported when set to true.

servers

string[]

List of Custom DNS Servers.

ExplicitProxy

Explicit Proxy Settings in Firewall Policy.

Name Type Description
enableExplicitProxy

boolean

When set to true, explicit proxy mode is enabled.

enablePacFile

boolean

When set to true, pac file port and url needs to be provided.

httpPort

integer

Port number for explicit proxy http protocol, cannot be greater than 64000.

httpsPort

integer

Port number for explicit proxy https protocol, cannot be greater than 64000.

pacFile

string

SAS URL for PAC file.

pacFilePort

integer

Port number for firewall to serve PAC file.

FirewallPolicyDraft

FirewallPolicy Resource.

Name Type Description
id

string

Resource ID.

location

string

Resource location.

name

string

Resource name.

properties.basePolicy

SubResource

The parent firewall policy from which rules are inherited.

properties.dnsSettings

DnsSettings

DNS Proxy Settings definition.

properties.explicitProxy

ExplicitProxy

Explicit Proxy Settings definition.

properties.insights

FirewallPolicyInsights

Insights on Firewall Policy.

properties.intrusionDetection

FirewallPolicyIntrusionDetection

The configuration for Intrusion detection.

properties.snat

FirewallPolicySNAT

The private IP addresses/IP ranges to which traffic will not be SNAT.

properties.sql

FirewallPolicySQL

SQL Settings definition.

properties.threatIntelMode

AzureFirewallThreatIntelMode

The operation mode for Threat Intelligence.

properties.threatIntelWhitelist

FirewallPolicyThreatIntelWhitelist

ThreatIntel Whitelist for Firewall Policy.

tags

object

Resource tags.

type

string

Resource type.

FirewallPolicyInsights

Firewall Policy Insights.

Name Type Description
isEnabled

boolean

A flag to indicate if the insights are enabled on the policy.

logAnalyticsResources

FirewallPolicyLogAnalyticsResources

Workspaces needed to configure the Firewall Policy Insights.

retentionDays

integer

Number of days the insights should be enabled on the policy.

FirewallPolicyIntrusionDetection

Configuration for intrusion detection mode and rules.

Name Type Description
configuration

FirewallPolicyIntrusionDetectionConfiguration

Intrusion detection configuration properties.

mode

FirewallPolicyIntrusionDetectionStateType

Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two.

profile

FirewallPolicyIntrusionDetectionProfileType

IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy.

FirewallPolicyIntrusionDetectionBypassTrafficSpecifications

Intrusion detection bypass traffic specification.

Name Type Description
description

string

Description of the bypass traffic rule.

destinationAddresses

string[]

List of destination IP addresses or ranges for this rule.

destinationIpGroups

string[]

List of destination IpGroups for this rule.

destinationPorts

string[]

List of destination ports or ranges.

name

string

Name of the bypass traffic rule.

protocol

FirewallPolicyIntrusionDetectionProtocol

The rule bypass protocol.

sourceAddresses

string[]

List of source IP addresses or ranges for this rule.

sourceIpGroups

string[]

List of source IpGroups for this rule.

FirewallPolicyIntrusionDetectionConfiguration

The operation for configuring intrusion detection.

Name Type Description
bypassTrafficSettings

FirewallPolicyIntrusionDetectionBypassTrafficSpecifications[]

List of rules for traffic to bypass.

privateRanges

string[]

IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property

signatureOverrides

FirewallPolicyIntrusionDetectionSignatureSpecification[]

List of specific signatures states.

FirewallPolicyIntrusionDetectionProfileType

IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy.

Name Type Description
Advanced

string

Basic

string

Extended

string

Standard

string

FirewallPolicyIntrusionDetectionProtocol

The rule bypass protocol.

Name Type Description
ANY

string

ICMP

string

TCP

string

UDP

string

FirewallPolicyIntrusionDetectionSignatureSpecification

Intrusion detection signatures specification states.

Name Type Description
id

string

Signature id.

mode

FirewallPolicyIntrusionDetectionStateType

The signature state.

FirewallPolicyIntrusionDetectionStateType

Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two.

Name Type Description
Alert

string

Deny

string

Off

string

FirewallPolicyLogAnalyticsResources

Log Analytics Resources for Firewall Policy Insights.

Name Type Description
defaultWorkspaceId

SubResource

The default workspace Id for Firewall Policy Insights.

workspaces

FirewallPolicyLogAnalyticsWorkspace[]

List of workspaces for Firewall Policy Insights.

FirewallPolicyLogAnalyticsWorkspace

Log Analytics Workspace for Firewall Policy Insights.

Name Type Description
region

string

Region to configure the Workspace.

workspaceId

SubResource

The workspace Id for Firewall Policy Insights.

FirewallPolicySNAT

The private IP addresses/IP ranges to which traffic will not be SNAT.

Name Type Description
autoLearnPrivateRanges

AutoLearnPrivateRangesMode

The operation mode for automatically learning private ranges to not be SNAT

privateRanges

string[]

List of private IP addresses/IP address ranges to not be SNAT.

FirewallPolicySQL

SQL Settings in Firewall Policy.

Name Type Description
allowSqlRedirect

boolean

A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999.

FirewallPolicyThreatIntelWhitelist

ThreatIntel Whitelist for Firewall Policy.

Name Type Description
fqdns

string[]

List of FQDNs for the ThreatIntel Whitelist.

ipAddresses

string[]

List of IP addresses for the ThreatIntel Whitelist.

SubResource

Reference to another subresource.

Name Type Description
id

string

Resource ID.