How will TLS inpection affect the IDPS

Question

How will TLS inpection affect the IDPS

Ethan Hou 61 Microsoft Employee

Hi,

I'm trying to set up the IDPS of Azure Firewall premium, to make the IDPS stronger, TLS inspection is needed. Could you please tell me will Azure Firewall Premium always do the TLS inspection to the incoming traffic by default? Or, do I need to enable the TLS inspection on the sidebar manually?

Thanks!

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-02-21T10:42:16.117+00:00

Hello @Ethan Hou ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

As per our official doc, TLS inspection feature on Azure Firewall premium decrypts outbound traffic, processes the data, then encrypts the data and sends it to the destination.

For Outbound TLS Inspection & East-West TLS Inspection, you need to enable the TLS inspection feature for it be active. So you need to do either enable it manually on your Azure Firewall policy OR add a parent policy to your firewall policy where TLS inspection is already enabled (this will make sure that your policy will inherit rules and other settings from the selected parent policy).

But inbound TLS inspection is mentioned to be supported with Azure Application Gateway, which provides end-to-end encryption. So looks like Azure Firewall Premium will NOT do the TLS inspection for the incoming/inbound traffic by default.

Last internal update that I can find from our product group team is below:
For inbound traffic, the Azure Firewall performs both DNAT rule filtering and IDPS signature verification. We compare network traffic against more than 30000 malware signatures. Of course, inbound TLS provides additional security as we can look closely into the https payload. This feature is in our roadmap.
I'm checking with the Azure Firewall product group team regarding this feature release update. Will keep you posted.

Regards,
Gita

Accepted answer

0 additional answers

Your answer

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-02-21T10:42:16.117+00:00

Hello @Ethan Hou ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

As per our official doc, TLS inspection feature on Azure Firewall premium decrypts outbound traffic, processes the data, then encrypts the data and sends it to the destination.

For Outbound TLS Inspection & East-West TLS Inspection, you need to enable the TLS inspection feature for it be active. So you need to do either enable it manually on your Azure Firewall policy OR add a parent policy to your firewall policy where TLS inspection is already enabled (this will make sure that your policy will inherit rules and other settings from the selected parent policy).

But inbound TLS inspection is mentioned to be supported with Azure Application Gateway, which provides end-to-end encryption. So looks like Azure Firewall Premium will NOT do the TLS inspection for the incoming/inbound traffic by default.

Last internal update that I can find from our product group team is below:
For inbound traffic, the Azure Firewall performs both DNAT rule filtering and IDPS signature verification. We compare network traffic against more than 30000 malware signatures. Of course, inbound TLS provides additional security as we can look closely into the https payload. This feature is in our roadmap.
I'm checking with the Azure Firewall product group team regarding this feature release update. Will keep you posted.

Regards,
Gita

Answer 1

GitaraniSharma-MSFT 50,096 Microsoft Employee Moderator

Hello @Ethan Hou ,

I've confirmed with the Azure Firewall Product group team and they mentioned that Azure Firewall Premium perform TLS inspection ONLY if it was explicitly configured in its application rules. TLS inspection decrypts outbound traffic, processes the data, then encrypts the data and sends it to the destination.

For Outbound TLS Inspection & East-West TLS Inspection, you need to enable the TLS inspection feature for it be active. So you need to do either of the below:

Enable it manually on your Azure Firewall policy.
OR
Add a parent policy to your firewall policy where TLS inspection is already enabled (this will make sure that your policy will inherit rules and other settings from the selected parent policy).
Refer : https://learn.microsoft.com/en-us/azure/firewall/premium-features

But as mentioned earlier, for inbound traffic, the Azure Firewall performs both DNAT rule filtering and IDPS signature verification. We compare network traffic against more than 30000 malware signatures for security. Inbound TLS inspection is currently supported with Azure Application Gateway, which provides end-to-end encryption. So, at present Azure Firewall Premium will NOT do the TLS inspection for the incoming/inbound traffic by default or even when enabled as a feature. Per our PG team, inbound TLS inspection is in our roadmap but there is no ETA at the moment.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Ethan Hou 61 Reputation points Microsoft Employee

2022-02-21T12:24:39.847+00:00

Hi @GitaraniSharma-MSFT ,

Thanks for your quick and detailed reply, it is really helpful!

I have two more questions that related to your answer. You said we can manually enabled the TLS inspection on Azure Firewall Policy. From my experience, the TLS inspection is only mandatory while the destination type of the application rule is URL with https protocol:

]1

However, for the FQDN, FQDN Tag, and Web categories, if the protocol is https the TLS inspection is not mandatory, why is it like that? If I disable TLS inspection for the FQDN, FQDN Tag, or Web categories, will this weaken IDPS's power?

Thanks!
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-02-21T13:26:24.027+00:00

Hello @Ethan Hou ,

TLS inspection is mandatory while the destination type of the application rule is URL with https protocol because if the traffic is encrypted (i.e. HTTPS), the URL is also encrypted and we must decrypt the traffic with TLSi in order to reveal the actual URL and decide if to allow or deny the session.

For the FQDN, FQDN Tag, and Web categories, it is based on customer preference. Without TLSi, IDPS will not be able to detect malwares that are carried out in the encrypted HTTPS tunnel. So, you need to make a judgement according to your requirement and then choose to enable TLSi on these destination types.

Regards,
Gita
Ethan Hou 61 Reputation points Microsoft Employee

2022-02-21T13:30:19.527+00:00

Got it, thank you so much for the help @GitaraniSharma-MSFT !
Ethan Hou 61 Reputation points Microsoft Employee

2022-02-22T02:28:24.537+00:00

Hi @GitaraniSharma-MSFT ,

Sorry for asking again, I meet a new issue while configuring the Firewall Policy:

Currently I have two Firewall Policies with Premium tier, the parent firewall policy is configured with TLS inspection enabled, the child firewall policy is inherit from the parent policy but I didn't override the CA of parent policy:

Here is the issue, when I tried to create a new application rule for the child firewall policy, however, I couldn't enable the TLS inspection for the new rule unless I override the CA of parent firewall policy:

Could you please tell me is this design on purpose? Why do I need to override parent CA to enable the TLS inspection for the child policy?

Thanks!
Ethan
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-02-22T08:28:56.07+00:00

Hello @Ethan Hou ,

Thank you for reporting this issue. I reproduced this in my lab and encountered the same issue, so I reached out to the Azure Firewall Product group team for validation. They have confirmed that this is a bug and hence I've created an internal task for them to fix this bug at the earliest.

The expected behavior is : You should be able to enable TLSi on the application rules of the child policy without overriding the parent CA.

Will update this thread once the bug is fixed.

Regards,
Gita
Ethan Hou 61 Reputation points Microsoft Employee

2022-02-22T14:26:40.083+00:00

Hi @GitaraniSharma-MSFT ,

The expected behavior makes more sense to me and I'm glad to see we found this bug before it begins to affect our customer.

Thank you for letting me know and also thank you for being so supportive! I believe we will get the update soon.

Best,
Ethan
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-02-24T09:06:04.37+00:00

Hello @Ethan Hou ,

This product/feature bug may take some to fix. Per the product group team, the next update would be around mid-march. So, in the mean time, you can use the workaround to override the parent CA to enable TLSi in the application rules of child policy by using the same certificate.

Will update this thread in mid-march again when I hear from the PG team.

Regards,
Gita
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-29T09:08:09.453+00:00

<<<<UPDATE>>>>

Hello @Ethan Hou ,

I have received the ETA on this bug fix rollout from PG as Mid-May. Hope this helps!

Regards,
Gita
Ethan Hou 61 Reputation points Microsoft Employee

2022-03-30T03:38:20.44+00:00

Hi @GitaraniSharma-MSFT ,

Got it. Thank you for letting me know!

Best,
Ethan
Ken Millard 0 Reputation points

2023-01-23T14:37:16.0233333+00:00

As of January 2023, has the product group implemented TLS inspection for inbound traffic in Azure Firewall Premium? Just wanted to confirm whether this feature was available. Thanks!

Ken
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-01-24T11:59:48.67+00:00
Hello @Ken Millard ,

As mentioned in the Azure Firewall Premium doc,

The following use cases are supported with Azure Firewall:

Outbound TLS Inspection : To protect against malicious traffic that is sent from an internal client hosted in Azure to the Internet.

East-West TLS Inspection (includes traffic that goes from/to an on-premises network) : To protect your Azure workloads from potential malicious traffic sent from within Azure.

The following use case is supported by Azure Web Application Firewall on Azure Application Gateway:

Inbound TLS Inspection : To protect internal servers or applications hosted in Azure from malicious requests that arrive from the Internet or an external network. Application Gateway provides end-to-end encryption.

So, TLS inspection for inbound traffic is not supported in Azure Firewall Premium. It is only supported by Azure Web Application Firewall on Azure Application Gateway

Regards,
Gita

Share via

How will TLS inpection affect the IDPS

0 additional answers

Your answer