review-checklists/checklists-ext/azurefirewall_sg_checklist....

314 строки
23 KiB
JSON

{
"$schema": "https://raw.githubusercontent.com/Azure/review-checklists/main/checklists/checklist.schema.json",
"items": [
{
"waf": "Reliability",
"service": "Azure Firewall",
"text": "Deploy Azure Firewall across multiple availability zones.",
"description": "Deploy Azure Firewall across multiple availability zones to maintain a specific level of resiliency. If one zone experiences an outage, another zone continues to serve traffic.",
"type": "recommendation",
"guid": "881f08f8-32f0-420d-b4f7-f0660a0402cb"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
"text": "Monitor Azure Firewall metrics in a Log Analytics workspace. Closely monitor metrics that indicate the Azure Firewall health state, such as throughput, Firewall health state, SNAT port utilization, and AZFW latency probe metrics. Use Azure Service Health to monitor Azure Firewall health.",
"description": "Monitor resource metrics and service health so you can detect when a service state degrades and take proactive measures to prevent failures.",
"type": "recommendation",
"guid": "a61daca7-ba87-4a5f-8d72-6c4e61f1f8a1"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Configure Azure Firewall in\u00a0forced tunneling mode if you need to route all internet-bound traffic to a designated next hop instead of directly to the internet. This recommendation doesn't apply to Virtual WAN. <BR><BR> Azure Firewall must have direct internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via the Border Gateway Protocol, you must configure Azure Firewall in forced tunneling mode. You can use the forced tunneling feature to add another /26 address space for the Azure Firewall Management subnet. Name the subnet AzureFirewallManagementSubnet. If you have an existing Azure Firewall instance that you can't reconfigure in forced tunneling mode, create a UDR with a 0.0.0.0/0 route. Set the NextHopType value as Internet. To maintain internet connectivity, associate the UDR with AzureFirewallSubnet. Set the public IP address to None to deploy a fully private data plane when you configure Azure Firewall in forced tunneling mode. But the management plane still requires a public IP for management purposes only. The internal traffic from virtual and on-premises networks doesn't use that public IP.",
"description": "Use forced tunneling so you don't expose your Azure resources directly to the internet. This approach reduces the attack surface and minimizes the risk of external threats. To enforce corporate policies and compliance requirements more effectively, route all internet-bound traffic through an on-premises firewall or an NVA.",
"type": "recommendation",
"guid": "11c69324-ff8f-48aa-9e9e-9c954e29a121"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Create rules for Firewall policies in an hierarchical structure to overlay a central base policy. For more information, see Use Azure Firewall policies to process rules. <BR><BR> Create your rules based on the least-privilege access Zero Trust principle",
"description": "Organize rules in a hierarchical structure so that granular policies can meet the requirements of specific regions. Each policy can contain different sets of Destination Network Address Translation (DNAT), network, and application rules that have specific priorities, actions, and processing orders.",
"type": "recommendation",
"guid": "29a3b176-03b3-4273-b9f8-cdddee154009"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Configure supported security partner providers within Firewall Manager to protect outbound connections. <BR><BR> This scenario requires Virtual WAN with a S2S VPN gateway in the hub because it uses an IPsec tunnel to connect to the provider's infrastructure. Managed security service providers might charge extra license fees and limit throughput on IPsec connections. You can also use alternative solutions, such as Zscaler Cloud Connector.",
"description": "Enable security partner providers in Azure Firewall to take advantage of best-in-breed cloud security offerings, which provide advanced protection for your internet traffic. These providers offer specialized, user-aware filtering and comprehensive threat-detection capabilities that enhance your overall security posture.",
"type": "recommendation",
"guid": "f03b413a-c06c-4f22-98ad-6798b74f825e"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Enable\u00a0Azure Firewall DNS proxy\u00a0configuration. <BR><BR> Also configure Azure Firewall to use custom DNS for forwarding DNS queries.",
"description": "Enable this feature to point clients in the virtual networks to Azure Firewall as a DNS server. This feature protects internal DNS infrastructure that's not directly accessed and exposed.",
"type": "recommendation",
"guid": "98a53328-cf36-4d0e-b7dc-a15a8957ab3b"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Configure UDRs to force traffic through Azure Firewall in a traditional hub-and-spoke architecture for spoke-to-spoke, spoke-to-internet, and spoke-to-hybrid connectivity. <BR><BR> In Virtual WAN, configure routing intent and policies to redirect private traffic or internet traffic through the Azure Firewall instance that's integrated into the hub. <BR><BR> If you can't apply a UDR, and you only require web traffic redirection, use Azure Firewall as an explicit proxy on the outbound path. You can configure a proxy setting on the sending application, such as a web browser, when you configure Azure Firewall as a proxy.",
"description": "Send traffic through the firewall to inspect traffic and help identify and block malicious traffic. <BR><BR> Use Azure Firewall as an explicit proxy for outbound traffic so that web traffic reaches the firewall's private IP address and therefore egresses directly from the firewall without using a UDR. This feature also facilitates the use of multiple firewalls without modifying existing network routes.",
"type": "recommendation",
"guid": "5a33a8c3-32ad-4df5-b10e-ae88d9341652"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Use FQDN filtering in network rules. You must enable the Azure Firewall DNS proxy configuration to use FQDNs in your network rules.",
"description": "Use FQDNs in Azure Firewall network rules so that administrators can manage domain names instead of multiple IP addresses, which simplifies management. This dynamic resolution ensures that firewall rules automatically update when domain IPs change.",
"type": "recommendation",
"guid": "468a142a-2b62-4379-90d1-46a7d351716f"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Use Azure Firewall service tags in place of specific IP addresses to provide selective access to specific services in Azure, Microsoft Dynamics 365, and Microsoft 365.",
"description": "Use service tags in network rules so you can define access controls based on service names rather than specific IP addresses, which simplifies security management. Microsoft manages and updates these tags automatically when IP addresses change. This method ensures that your firewall rules remain accurate and effective without manual intervention.",
"type": "recommendation",
"guid": "d64d477e-8277-4f70-9727-8c1db0cd649c"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Use FQDN tags in application rules to provide selective access to specific Microsoft services. <BR><BR> You can use an FQDN tag in application rules to allow the required outbound network traffic through your firewall for specific Azure services, such as Microsoft 365, Windows 365, and Microsoft Intune.",
"description": "Use FQDN tags in Azure Firewall application rules to represent a group of FQDNs that are associated with well-known Microsoft services. This method simplifies the management of network security rules.",
"type": "recommendation",
"guid": "f8f92e49-b7ed-40cc-ad7b-3431067dd488"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Enable\u00a0threat intelligence\u00a0on Azure Firewall in\u00a0Alert and deny\u00a0mode.",
"description": "Use threat intelligence to provide real-time protection against emerging threats, which reduces the risk of cyberattacks. This feature uses the Microsoft threat intelligence feed to automatically alert and block traffic from known malicious IP addresses, domains, and URLs.",
"type": "recommendation",
"guid": "ecce93c9-ffc9-498f-abdf-d29a618b8d1c"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Enable\u00a0the IDPS\u00a0in\u00a0Alert\u00a0or\u00a0Alert and deny\u00a0mode. Consider the performance impact of this feature.",
"description": "Enable IDPS filtering in Azure Firewall provides real-time monitoring and analysis of network traffic to detect and prevent malicious activities. This feature uses signature-based detection to swiftly identify known threats and block them before they cause harm. For more information, see Detect abuse.",
"type": "recommendation",
"guid": "754d917c-b22f-4fe7-92b1-d0d88b5b1873"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Use an internal enterprise certification authority (CA) to generate certificates when you use TLS inspection with Azure Firewall Premium. Use self-signed certificates only for testing and proof of concept (PoC) purposes.",
"description": "Enable TLS inspection so that Azure Firewall Premium terminates and inspects TLS connections to detect, alert, and mitigate malicious activity in HTTPS.",
"type": "recommendation",
"guid": "9e220953-da77-44f0-9e85-ccc7743e2d2a"
},
{
"waf": "Security",
"service": "Azure Firewall",
"text": "Use Firewall Manager to create and associate an Azure DDoS Protection plan with your hub virtual network. This approach doesn't apply to Virtual WAN.",
"description": "Configure an Azure DDoS Protection plan so that you can centrally manage DDoS protection alongside your firewall policies. This approach streamlines how you manage your network security and simplifies how you deploy and monitor processes.",
"type": "recommendation",
"guid": "fe3488cd-72a6-4672-b26b-64b1a0e9f625"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Stop Azure Firewall deployments that don't need to continuously run. You might have development or testing environments that you only use during business hours. For more information, see Deallocate and allocate Azure Firewall.",
"description": "Shut down these deployments during off-peak hours or when idle to reduce unnecessary expenses but maintain security and performance during critical times.",
"type": "recommendation",
"guid": "463b7549-f012-4554-a6df-4ea62350cc52"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Regularly review traffic that Azure Firewall processes, and find originating workload optimizations. The top flows log, also known as the fat flows log, shows the top connections that contribute to the highest throughput through the firewall.",
"description": "Optimize workloads that generate the most traffic through the firewall to reduce the volume of traffic, which decreases the load on the firewall and minimizes data-processing and bandwidth costs.",
"type": "recommendation",
"guid": "ccd04d1a-611b-4c77-aef7-96d1ac1470d1"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Identify and delete unused Azure Firewall deployments. Analyze monitoring metrics and UDRs that are associated with subnets that point to the firewall's private IP. Also consider other validations and internal documentation about your environment and deployments. For example, analyze any classic NAT, network, and application rules for Azure Firewall. And consider your settings. For example, you might configure the DNS proxy setting to Disabled. For more information, see Monitor Azure Firewall.",
"description": "Use this approach to detect cost-effective deployments over time and eliminate unused resources, which prevents unnecessary costs.",
"type": "recommendation",
"guid": "9ddcb977-4f4d-4c98-a7bc-daad82bf79fb"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Review your Firewall Manager policies, associations, and inheritance carefully to optimize cost. Policies are billed based on firewall associations. A policy with zero or one firewall association is free. A policy with multiple firewall associations is billed at a fixed rate. For more information, see Firewall Manager pricing.",
"description": "Properly use Firewall Manager and its policies to reduce operational costs, increase efficiency, and reduce management overhead.",
"type": "recommendation",
"guid": "a42cec48-b5d7-467a-8296-4864c6e9b413"
},
{
"waf": "Cost",
"service": "Azure Firewall",
"text": "Review all the public IP addresses in your configuration, and disassociate and delete the ones that you don't use. Evaluate source network address translation (SNAT) port usage before you remove any IP addresses. For more information, see Monitor Azure Firewall logs and metrics and SNAT port usage.",
"description": "Delete unused IP addresses to reduce costs.",
"type": "recommendation",
"guid": "407db414-2814-4803-9b80-be5ff2a97950"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Enable diagnostic logs for Azure Firewall. Use firewall logs or workbooks to monitor Azure Firewall. You can also use activity logs to audit operations on Azure Firewall resources. Use the structured firewall logs format. Only use the previous diagnostic logs format if you have an existing tool that requires it. Don't enable both logging formats at the same time.",
"description": "Enable diagnostic logs to optimize your monitoring tools and strategies for Azure Firewall. Use structured firewall logs to structure log data so that it's easy to search, filter, and analyze. The latest monitoring tools are based on this type of log, so it's often a prerequisite.",
"type": "recommendation",
"guid": "fb2c3215-9576-49d1-a936-e302ef9049c2"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Use the built-in Azure Firewall workbook.",
"description": "Use the Azure Firewall workbook to extract valuable insights from Azure Firewall events, analyze your application and network rules, and examine statistics about firewall activities across URLs, ports, and addresses.",
"type": "recommendation",
"guid": "913ed2e5-c63c-4325-8578-965c5c3c4b79"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Monitor Azure Firewall logs and metrics, and create alerts for Azure Firewall capacity. Create alerts to monitor Throughput, Firewall health state, SNAT port utilization, and AZFW latency probe metrics.",
"description": "Set up alerts for key events to notify operators before potential problems arise, help prevent disruptions, and initiate quick capacity adjustments.",
"type": "recommendation",
"guid": "79268d8a-5829-4fb3-a1c6-d7ee9c980cd4"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Regularly review the policy analytics dashboard to identify potential problems.",
"description": "Use policy analytics to analyze the impact of your Azure Firewall policies. Identify potential problems in your policies, such as meeting policy limits, improper rules, and improper IP groups usage. Get recommendations to improve your security posture and rule-processing performance.",
"type": "recommendation",
"guid": "63b266a4-285f-4fd4-a0fb-b6bb4c1ce75b"
},
{
"waf": "Operations",
"service": "Azure Firewall",
"text": "Understand KQL queries so you can use Azure Firewall logs to quickly analyze and troubleshoot problems. Azure Firewall provides sample queries.",
"description": "Use KQL queries to quickly identify events inside your firewall and check to see which rule is triggered or which rule allows or blocks a request.",
"type": "recommendation",
"guid": "37cc2cc2-5700-4e4b-bb0b-86e6acb11092"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Use the policy analytics dashboard to identify ways to optimize Azure Firewall policies.",
"description": "Use policy analytics to identify potential problems in your policies, such as meeting policy limits, improper rules, and improper IP groups usage. Get recommendations to improve your security posture and rule-processing performance.",
"type": "recommendation",
"guid": "e9cf81c7-6938-44e1-83fe-0c16af8214fd"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Place frequently used rules early in a group to optimize latency for Azure Firewall policies that have large rule sets. For more information, see Use Azure Firewall policies to process rules.",
"description": "Place frequently used rules high in a rule set to optimize processing latency. Azure Firewall processes rules based on the rule type, inheritance, rule collection group priority, and rule collection priority. Azure Firewall processes high-priority rule collection groups first. Inside a rule collection group, Azure Firewall processes rule collections that have the highest priority first.",
"type": "recommendation",
"guid": "4413e944-e222-419c-bc01-54f518dace78"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Use IP groups to summarize IP address ranges and avoid exceeding the limit of unique source or unique destination network rules. Azure Firewall treats the IP group as a single address when you create network rules.",
"description": "This approach effectively increases the number of IP addresses that you can cover without exceeding the limit. For each rule, Azure multiplies ports by IP addresses. So, if one rule has four IP address ranges and five ports, you consume 20 network rules.",
"type": "recommendation",
"guid": "6acef044-ef2f-47b0-8463-5de890902930"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Use Azure Firewall web categories to allow or deny outbound access in bulk, instead of explicitly building and maintaining a long list of public internet sites.",
"description": "This feature dynamically categorizes web content and permits the creation of compact application rules, which reduces operational overhead.",
"type": "recommendation",
"guid": "0a8a6e9c-57e9-40bd-8345-8b5abbcfa504"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Evaluate the performance impact of IDPS in Alert and deny mode. For more information, see Azure Firewall performance.",
"description": "Enable IDPS in Alert and deny mode to detect and prevent malicious network activity. This feature might introduce a performance penalty. Understand the effect on your workload so you can plan accordingly.",
"type": "recommendation",
"guid": "a281c1d2-e2da-458f-ad57-d67d19b8377e"
},
{
"waf": "Performance",
"service": "Azure Firewall",
"text": "Configure Azure Firewall deployments with a minimum of five public IP addresses for deployments that are susceptible to SNAT port exhaustion.",
"description": "Azure Firewall supports 2,496 ports for each public IP address that each back-end Azure Virtual Machine Scale Sets instance uses. This configuration increases the available SNAT ports by five times. By default, Azure Firewall deploys two Virtual Machine Scale Sets instances that support 4,992 ports for each flow destination IP, destination port, and TCP or UDP protocol. The firewall scales up to a maximum of 20 instances.",
"type": "recommendation",
"guid": "ffa8eeee-ff51-44ca-a416-275bcf54be52"
}
],
"categories": [],
"waf": [
{
"name": "reliability"
},
{
"name": "Cost"
},
{
"name": "Operations"
},
{
"name": "security"
},
{
"name": "Performance"
},
{
"name": "Reliability"
},
{
"name": "operations"
},
{
"name": "Security"
},
{
"name": "performance"
},
{
"name": "cost"
}
],
"yesno": [
{
"name": "Yes"
},
{
"name": "No"
}
],
"status": [
{
"name": "Not verified",
"description": "This check has not been looked at yet"
},
{
"name": "Open",
"description": "There is an action item associated to this check"
},
{
"name": "Fulfilled",
"description": "This check has been verified, and there are no further action items associated to it"
},
{
"name": "N/A",
"description": "Not applicable for current design"
},
{
"name": "Not required",
"description": "Not required"
}
],
"metadata": {
"name": "Azure Firewall Service Guide",
"waf": "all",
"state": "preview",
"timestamp": "October 20, 2024"
}
}