azure firewall idps protocol and encryption

Yang, Steven 151 Reputation points
2023-09-19T14:35:58.4633333+00:00

Hello,

out of all the idps signatures, is there a way for us to tell which one requires ssl decryption to be enabled? meaning the signature won't be able to properly inspect the traffic if it is encrypted.

Best,

Steven

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
662 questions
{count} votes

1 answer

Sort by: Most helpful
  1. GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee
    2023-10-12T16:32:27.4933333+00:00

    Hello @Yang, Steven ,

    I understand that you wanted to know if there is a way to tell out of all the Azure Firewall IDPS signatures, which one requires SSL decryption to be enabled meaning the signature won't be able to properly inspect the traffic if it is encrypted. You also mentioned that you noticed some signature rules are getting auto deleted and wanted to know the reason behind it.

    I discussed the above queries with the Azure Firewall Product Group team, and below are the responses:

    Out of all the IDPS signatures, is there a way for us to tell which one requires SSL decryption to be enabled? Meaning the signature won't be able to properly inspect the traffic if it is encrypted.

    Majority of the signatures requires TLSi to take effect, the signatures that are applicable for encrypted traffic relate to L3 and L4 protocols, they are basically related to the connection establishment part until the encrypted tunnel is constructed.

    Please find attached the list of 1693 TLS agnostic signature IDs --> these signatures will be effective for HTTPS traffic even if TLSi is disabled.

    Azure Firewall IDPS TLS Agnostic Signature IDs.pdf

    And all the rest of IDPS signatures (which are not in the above list) requires TLS inspection to be enabled if the traffic is TLS encrypted. 

    I noticed that some signature rules would get deleted. Last week the signature rule count was 62K something, this week the count dropped to 61K something. How does that work and how can I get notified about it?

    Signatures rules that are not seen in use for long period (years) are being cleaned out.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.