Azure Firewall IDPS Signature Constantly Updating

Question

Azure Firewall IDPS Signature Constantly Updating

Yang, Steven 151

I noticed that signatures in idps would some time update in a large quantity, and most of them are existing signature.

I'm trying to put down a process where the engineering would put the signature in monitor mode for certain # of days before go into deny mode. With signatures constantly updating in large quantity, i feel this is unmanageable. what are the best practices around managing signatures so I don't get hit with large quantity of false-positive

KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-10-10T05:07:22.68+00:00

@Yang, Steven

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-10-11T05:40:45.7433333+00:00

@Yang, Steven

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Thanks,

Kapil
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-10-12T03:56:23.37+00:00

@Yang, Steven

I have converted my comment and posted it as an answer.

I would highly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Thanks,

Kapil
Yang, Steven 151 Reputation points

2023-10-20T19:16:57.8833333+00:00

Hi Kapil,

Sorry for the late response. I would be more interested in the new rules that are being introduced, how do we get notifications about it? and how do we distinguish new rule added vs existing rule update?

last time i saw 100s of rules got updated; most were existing rules.

Best,

Steven
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-10-25T06:02:09.5833333+00:00
@Yang, Steven

I am afraid we do not have any such mechanism to distinguish.

May I ask the use case for this?

As the rules are always available, the platform should take care of implementing the latest definition to the Firewall processing.

Cheers,

Kapil

1 answer

Your answer

KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-10-10T05:07:22.68+00:00

@Yang, Steven

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-10-11T05:40:45.7433333+00:00

@Yang, Steven

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Thanks,

Kapil
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-10-12T03:56:23.37+00:00

@Yang, Steven

I have converted my comment and posted it as an answer.

I would highly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Thanks,

Kapil
Yang, Steven 151 Reputation points

2023-10-20T19:16:57.8833333+00:00

Hi Kapil,

Sorry for the late response. I would be more interested in the new rules that are being introduced, how do we get notifications about it? and how do we distinguish new rule added vs existing rule update?

last time i saw 100s of rules got updated; most were existing rules.

Best,

Steven
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-10-25T06:02:09.5833333+00:00

@Yang, Steven

I am afraid we do not have any such mechanism to distinguish.

May I ask the use case for this?

As the rules are always available, the platform should take care of implementing the latest definition to the Firewall processing.

Cheers,

Kapil

Answer 1

@Yang, Steven

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to understand the best practices with managing signatures in Azure Firewall.

Can you please let me know what do you mean by "idps would some time update in a large quantity" ?

Do you mean that the new rules are being introduced?
or that the definition of a single rule gets updated ?

Every signature would belong to a Group or Category.

User's image

While it may be the case that a signature's definition may get updated or new definitions will be introduced,

But their effect would still be the same (somewhat enhanced)
Based on their group/category, they will still target the same vulnerability as before the update, just that they will be now more enhanced.

I don't think that a signature's definition or ID will be updated so that it's category itself would be changed.

So, I doubt there will be a large quantity of false-positive as you described.

Please let me know if you need more details on this.

Cheers,

Kapil

Share via

Azure Firewall IDPS Signature Constantly Updating

1 answer

Your answer