How to get all firewall rules with all the properties via Azures Resource Graph?

Question

Hi, I need help with proper formulation of a query that would give me all firewall rules with all properties so it can be saved as a CSV file. All rules from a particular directory.

Answer 1

@Dominika Starostka

Thank you for reaching out on the Microsoft Q&A forum.

If I understand correctly, you are looking for Azures Resource Graph query to fetch all Azure firewall rules with their properties so that you can save it in a csv format. Please correct me if my understanding is incorrect.

It is currently not possible to fetch all Azure firewall rules with their properties using Azures Resource Graph explorer. It will be helpful if you could file a feedback item for this request on our feedback portal.

The workaround in this case will be to use PowerShell command Get-AzFirewallPolicyRuleCollectionGroup

to fetch the rules under a rule collection group of Azure Firewall Policy and save them to a csv file.

You can refer to the sample script I created below.

Please add values to below variables in the script as per your environment:

• subscription_id
• $rg = your resource_group name
• $policyname = your firewall_policy_name
• Enter_your_path (any path in your local system to save the csv file)

This script will create three csv files for NetworkRules, ApplicationRules and DnatRules.

Connect-AzAccount
Set-AzContext -Subscription "<subscription_id>"
$rg = "<resource_group>"
$policyname = "<firewall_policy_name>"
$colgroups = Get-AzFirewallPolicy -Name $policyname -ResourceGroupName $rg
foreach ($colgroup in $colgroups.RuleCollectionGroups)
{
    $c = Out-String -InputObject $colgroup -Width 500
    $collist= $c -split "/"
    $colname = ($collist[-1]).Trim()

    $rulecolgroup = Get-AzFirewallPolicyRuleCollectionGroup -Name $colname -ResourceGroupName $rg -AzureFirewallPolicyName $policyname

    if ($rulecolgroup.properties.RuleCollection.rules.RuleType -contains "NetworkRule")
    {
        $rulecolgroup.properties.RuleCollection.rules|Select-Object Name,RuleType,@{n="SourceAddresses";e={$_.SourceAddresses -join ","}},@{n="protocols";e={$_.protocols -join ","}},@{n="DestinationAddresses";e={$_.DestinationAddresses -join ","}},@{n="SourceIpGroups";e={$_.SourceIpGroups -join ","}},@{n="DestinationIpGroups";e={$_.DestinationIpGroups -join ","}},@{n="DestinationPorts";e={$_.DestinationPorts -join ","}},@{n="DestinationFqdns";e={$_.DestinationFqdns -join ","}}|Export-Csv -Path "C:\Users\<Enter_your_path>\NetworkRules.csv" -Append -NoTypeInformation -Force

    }
    if ($rulecolgroup.properties.RuleCollection.rules.RuleType -contains "ApplicationRule")
    {
        $rulecolgroup.properties.RuleCollection.rules|Select-Object Name,RuleType,TerminateTLS,@{n="SourceAddresses";e={$_.SourceAddresses -join ","}},@{n="TargetFqdns";e={$_.TargetFqdns -join ","}},@{n="Protocols";e={$_.Protocols -join ","}},@{n="SourceIpGroups";e={$_.SourceIpGroups -join ","}},@{n="WebCategories";e={$_.WebCategories -join ","}},@{n="TargetUrls";e={$_.TargetUrls -join ","}}|Export-Csv -Path "C:\Users\<Enter_your_path>\ApplicationRules.csv" -Append -NoTypeInformation -Force

    }
    if ($rulecolgroup.properties.RuleCollection.rules.RuleType -contains "NatRule")
    {
        $rulecolgroup.properties.RuleCollection.rules|Select-Object Name,RuleType,TranslatedPort,TranslatedAddress,@{n="SourceAddresses";e={$_.SourceAddresses -join ","}},@{n="SourceIpGroups";e={$_.SourceIpGroups -join ","}},@{n="Protocols";e={$_.Protocols -join ","}},@{n="DestinationAddresses";e={$_.DestinationAddresses -join ","}},@{n="DestinationPorts";e={$_.DestinationPorts -join ","}}|Export-Csv -Path "C:\Users\<Enter_your_path>\DnatRules.csv" -Append -NoTypeInformation -Force
    }

}

Below is the sample of CSV files created.

Network Rules:

Dnat Rules:

Application Rules:

If you not have PowerShell installed on your local machine, you can follow the documentation here. The script above uses Az.Network module .

Hope this helps! Please let me know if you face any issues while running the script.

---

​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

This may be an old thread. But using the powershell script it has some issues.

Does not associate the rule collection name or priority. (not fun to have to go back and edit the file manually)

Does not include FQDNs in the source or destination columns. (speaking of the Network rules here. Does show in Application rules).

Perhaps there is now a better way to get a CSV or similar file?

Answer 3

The script as it stands doesn't separate between Application and Network rules correctly. you can fix it like this:

    foreach ($rule in $rulecolgroup.properties.RuleCollection.rules)
    {
        if ($rule.RuleType -eq "NetworkRule")
        {
            # Select the desired properties for Network rules
            $rule | Select-Object $networkRuleProperties | Export-Csv -Path "~/Desktop/NetworkRules.csv" -Append -NoTypeInformation -Force
        }
        elseif ($rule.RuleType -eq "ApplicationRule")
        {
            # Select the desired properties for Application rules
            $rule | Select-Object $applicationRuleProperties | Export-Csv -Path "~/Desktop/ApplicationRules.csv" -Append -NoTypeInformation -Force
        }
    }

Answer 4

For anyone who is interested I created my own version of this which also retrieves Azure IP Group names instead of having the raw resourceIds clogging the CSV files.

The script will also output the configuration in JSON format.

You can find the script here: https://gist.github.com/bergsj/7b6b9a8ea5fb97674c5ba7e2f2190b57

Thanks to @ChaitanyaNaykodi-MSFT for the step in the right direction.