List all Azure policy rule collections with Rules in PowerShell

Question

Could someone help in getting me the equivalent PowerShell command for the below Az command?

az network firewall policy rule-collection-group list --policy-name <policyname> --resource-group <RG_Name>

The requirement for me is to configure an automation account PowerShell runbook which will extract all the firewall rules and store as a file in blob. The script should run daily and retain the last 7 days file in blob.

I am not able to find the PowerShell command to fetch all the available Rule Collections. I can fetch ONLY if I pass the collection name as a parameter in cmdlet. Ex: (Get-AzFirewallPolicyRuleCollectionGroup -Name <Col_Name> -ResourceGroupName <RG_Name> -AzureFirewallPolicyName <Pol_Name>).Properties.RuleCollection

I should not pass the Collection name, as the collection may add or remove in daily run. I also tried the below possible PowerShell command, but it returns nothing.

$colids=(Get-AzFirewallPolicy -Name <Pol_Name> -ResourceGroupName <RG_Name>).rulecollectiongroups
foreach($colid in $colids)
{
    Get-AzFirewallPolicyRuleCollectionGroup -ResourceId $colid.id
}

Passing the resource ID of rule collection group directly for -ResourceId also returns nothing.

Answer 1

Used below command as alternate and got the required output.

Export-AzResourceGroup -ResourceGroupName <RG_Name> -Resource <RID_AzPolicy>

Thank you everyone for trying to help. But still Get-AzFirewallPolicyRuleCollectionGroup -ResourceId <RID> should work.

Answer 2

@Joseph Sundar Raj Paulraj , Apologies for the delay in response. Looks like the Az Firewall network rule collection group commands were still under preview and under development.

This looks similar to this GitHub issue where on giving resourceID we see null.

Please do reach us at azcommunity@microsoft.com for further help on this PS module. Meanwhile, we will work with the respective PG team and will get back to you.

----------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Answer 3

Hi there,

Use the Get-NetFirewallRule cmdlet to get the entire list, and then filter on the Enabled and Direction properties:

Get-NetFirewallRule | Where { $.Enabled –eq ‘True’ –and $.Direction –eq ‘Inbound’ }

The Get-NetFirewallRule cmdlet returns the instances of firewall rules that match the search parameters from the user.

This cmdlet returns one or more firewall rules by specifying the Name parameter (default), the DisplayName parameter, rule properties, or by associated filters or objects. The queried rules can be placed into variables and piped to other cmdlets for further modifications or monitoring.

Here are some articles as well to help you out https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2019-ps

https://devblogs.microsoft.com/scripting/powertip-use-powershell-to-list-firewall-rules/

-----------------------------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer--

Answer 4

Hey,

Following code should work,

    # Get the config of the current Azure Firewall Policy
    $azFwPol = Get-AzFirewallPolicy -Name $fwPol -ResourceGroupName $resourceGroupName

    # Get RCGs IDs (didn't found a command that retrieve directly the RCGs Names)
    $rcgsIds = $azFwPol.RuleCollectionGroups

    # Get RCGs Names from RCGs IDs
    $rcgsNames =  foreach($rcgId in $rcgsIds) {
        $rcgId.Id.Substring($rcgId.Id.LastIndexOf("/")+1)
    }

    # For each RCG 
    foreach($rcgName in $rcgsNames) {
        # Get Azure RCG object
        $rcg = Get-AzFirewallPolicyRuleCollectionGroup -Name $rcgName -AzureFirewallPolicyName $fwPol -ResourceGroupName $resourceGroupName