Share via


az network firewall policy rule-collection-group collection

Note

This reference is part of the azure-firewall extension for the Azure CLI (version 2.67.0 or higher). The extension will automatically install the first time you run an az network firewall policy rule-collection-group collection command. Learn more about extensions.

Manage and configure Azure firewall policy rule collections in the rule collection group.

Currently, Azure Firewall policy support two kinds of rule collections which are Filter collection and NAT collection. There are three kinds of rules which are application rule, network rule and nat rule. NAT collection support having a list of nat rule. Filter collection support including a list of rules(network rule or application rule) in it. But all of rules should be the same type.

Commands

Name Description Type Status
az network firewall policy rule-collection-group collection add-filter-collection

Add a filter collection into an Azure firewall policy rule collection group.

Extension Preview
az network firewall policy rule-collection-group collection add-nat-collection

Add a NAT collection into an Azure firewall policy rule collection group.

Extension Preview
az network firewall policy rule-collection-group collection list

List all rule collections of an Azure firewall policy rule collection group.

Extension Preview
az network firewall policy rule-collection-group collection remove

Remove a rule collection from an Azure firewall policy rule collection group.

Extension Preview
az network firewall policy rule-collection-group collection rule

Manage and configure the rule of a filter collection in the rule collection group of Azure firewall policy.

Extension GA
az network firewall policy rule-collection-group collection rule add

Add a rule into an Azure firewall policy rule collection.

Extension Preview
az network firewall policy rule-collection-group collection rule remove

Remove a rule from an Azure firewall policy rule collection.

Extension Preview
az network firewall policy rule-collection-group collection rule update

Update a rule of an Azure firewall policy rule collection.

Extension Preview

az network firewall policy rule-collection-group collection add-filter-collection

Preview

This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Add a filter collection into an Azure firewall policy rule collection group.

az network firewall policy rule-collection-group collection add-filter-collection --collection-priority
                                                                                  --name
                                                                                  --policy-name
                                                                                  --rcg-name --rule-collection-group-name
                                                                                  --resource-group
                                                                                  [--action {Allow, Deny}]
                                                                                  [--add]
                                                                                  [--description]
                                                                                  [--dest-addr --destination-addresses]
                                                                                  [--dest-ipg --destination-ip-groups]
                                                                                  [--destination-fqdns]
                                                                                  [--destination-ports]
                                                                                  [--enable-tls-insp --enable-tls-inspection {0, 1, f, false, n, no, t, true, y, yes}]
                                                                                  [--force-string {0, 1, f, false, n, no, t, true, y, yes}]
                                                                                  [--fqdn-tags]
                                                                                  [--http-headers-to-insert]
                                                                                  [--ip-protocols]
                                                                                  [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                                                                  [--protocols]
                                                                                  [--remove]
                                                                                  [--rule-name]
                                                                                  [--rule-type {ApplicationRule, NatRule, NetworkRule}]
                                                                                  [--set]
                                                                                  [--source-addresses]
                                                                                  [--source-ip-groups]
                                                                                  [--target-fqdns]
                                                                                  [--target-urls]
                                                                                  [--web-categories]

Examples

Add a filter collection with Network rule into the rule collection group

az network firewall policy rule-collection-group collection add-filter-collection -g {rg}
--policy-name {policy} --rule-collection-group-name {collectiongroup} --name
filter_collection --action Allow --rule-name network_rule --rule-type NetworkRule
--description "test" --destination-addresses "202.120.36.15" --source-addresses
"202.120.36.13" "202.120.36.14" --destination-ports 12003 12004 --ip-protocols TCP UDP
--collection-priority 11002

Add a filter collection with Application rule into the rule collection group

az network firewall policy rule-collection-group collection add-filter-collection -g {rg}
--policy-name {policy} --rule-collection-group-name {collectiongroup} --name
filter_collection --action Allow --rule-name application_rule --rule-type ApplicationRule
--description "test" --destination-addresses "202.120.36.15" "202.120.36.16" --source-
addresses "202.120.36.13" "202.120.36.14" --protocols Http=12800 Https=12801 --fqdn-tags
AzureBackup HDInsight --collection-priority 11100

Required Parameters

--collection-priority

The priority of the rule in Firewall Policy Rule Collection Group.

--name -n

The name of the Firewall Policy Rule Collection Group.

--policy-name

The name of the Firewall Policy.

--rcg-name --rule-collection-group-name

The name of the Firewall Policy Rule Collection Group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--action

The action type of a rule collection.

Property Value
Accepted values: Allow, Deny
--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

Property Value
Parameter group: Generic Update Arguments
--description

The description of rule.

Property Value
Parameter group: Common Rule Arguments
--dest-addr --destination-addresses

Space-separated list of destination IP addresses. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Common Rule Arguments
--dest-ipg --destination-ip-groups

Space-separated list of name or resource id of destination IpGroups. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Network Rule Arguments
--destination-fqdns

Space-separated list of destination FQDNs. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Network Rule Arguments
--destination-ports

Space-separated list of destination ports. This argument is supported for Nat and Network Rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Common Rule Arguments
--enable-tls-insp --enable-tls-inspection

Enable flag to terminate TLS connection for this rule.

Property Value
Parameter group: Application Rule Arguments
Default value: False
Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

Property Value
Parameter group: Generic Update Arguments
Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--fqdn-tags

Space-separated list of FQDN tags for this rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Application Rule Arguments
--http-headers-to-insert
Preview

Space-separated list of HTTP headers to insert. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Application Rule Arguments
--ip-protocols

Space-separated list of IP protocols. This argument is supported for Nat and Network Rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Common Rule Arguments
--no-wait

Do not wait for the long-running operation to finish.

Property Value
Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--protocols

Space-separated list of protocols and port numbers to use, in PROTOCOL=PORT format. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Application Rule Arguments
--remove

Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.

Property Value
Parameter group: Generic Update Arguments
--rule-name

The name of rule.

Property Value
Parameter group: Common Rule Arguments
--rule-type

The type of rule.

Property Value
Parameter group: Common Rule Arguments
Accepted values: ApplicationRule, NatRule, NetworkRule
--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.

Property Value
Parameter group: Generic Update Arguments
--source-addresses

Space-separated list of source IP ddresses. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Common Rule Arguments
--source-ip-groups

Space-separated list of name or resource id of source IpGroups. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Common Rule Arguments
--target-fqdns

Space-separated list of FQDNs for this rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Application Rule Arguments
--target-urls

Space-separated list of target urls for this rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Application Rule Arguments
--web-categories

Space-separated list of web categories for this rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Application Rule Arguments
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az network firewall policy rule-collection-group collection add-nat-collection

Preview

This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Add a NAT collection into an Azure firewall policy rule collection group.

az network firewall policy rule-collection-group collection add-nat-collection --collection-priority
                                                                               --ip-protocols
                                                                               --name
                                                                               --policy-name
                                                                               --rcg-name --rule-collection-group-name
                                                                               --resource-group
                                                                               [--action {DNAT, SNAT}]
                                                                               [--add]
                                                                               [--description]
                                                                               [--dest-addr --destination-addresses]
                                                                               [--destination-ports]
                                                                               [--force-string {0, 1, f, false, n, no, t, true, y, yes}]
                                                                               [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                                                               [--remove]
                                                                               [--rule-name]
                                                                               [--set]
                                                                               [--source-addresses]
                                                                               [--source-ip-groups]
                                                                               [--translated-address]
                                                                               [--translated-fqdn]
                                                                               [--translated-port]

Examples

Add a NAT collection into the rule collection group

az network firewall policy rule-collection-group collection add-nat-collection -n
nat_collection --collection-priority 10003 --policy-name {policy} -g {rg} --rule-collection-
group-name {collectiongroup} --action DNAT --rule-name network_rule --description "test"
--destination-addresses "202.120.36.15" --source-addresses "202.120.36.13" "202.120.36.14"
--translated-address 128.1.1.1 --translated-port 1234 --destination-ports 12000 12001 --ip-
protocols TCP UDP

Required Parameters

--collection-priority

The priority of the rule in Firewall Policy Rule Collection Group.

--ip-protocols

Space-separated list of IP protocols. This argument is supported for Nat and Network Rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Common Rule Arguments
--name -n

The name of the Firewall Policy Rule Collection Group.

--policy-name

The name of the Firewall Policy.

--rcg-name --rule-collection-group-name

The name of the Firewall Policy Rule Collection Group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--action

The action type of a rule collection.

Property Value
Accepted values: DNAT, SNAT
--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

Property Value
Parameter group: Generic Update Arguments
--description

The description of rule.

Property Value
Parameter group: Common Rule Arguments
--dest-addr --destination-addresses

Space-separated list of destination IP addresses. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Common Rule Arguments
--destination-ports

Space-separated list of destination ports. This argument is supported for Nat and Network Rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Common Rule Arguments
--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

Property Value
Parameter group: Generic Update Arguments
Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--no-wait

Do not wait for the long-running operation to finish.

Property Value
Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--remove

Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.

Property Value
Parameter group: Generic Update Arguments
--rule-name

The name of rule.

Property Value
Parameter group: Common Rule Arguments
--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.

Property Value
Parameter group: Generic Update Arguments
--source-addresses

Space-separated list of source IP ddresses. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Common Rule Arguments
--source-ip-groups

Space-separated list of name or resource id of source IpGroups. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Common Rule Arguments
--translated-address

Translated address for this NAT rule collection.

Property Value
Parameter group: Nat Rule Arguments
--translated-fqdn

Translated FQDN for this NAT rule collection.

Property Value
Parameter group: Nat Rule Arguments
--translated-port

Translated port for this NAT rule collection.

Property Value
Parameter group: Nat Rule Arguments
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az network firewall policy rule-collection-group collection list

Preview

This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

List all rule collections of an Azure firewall policy rule collection group.

az network firewall policy rule-collection-group collection list --policy-name
                                                                 --rcg-name --rule-collection-group-name
                                                                 --resource-group

Required Parameters

--policy-name

The name of the Firewall Policy.

--rcg-name --rule-collection-group-name

The name of the Firewall Policy Rule Collection Group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az network firewall policy rule-collection-group collection remove

Preview

This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Remove a rule collection from an Azure firewall policy rule collection group.

az network firewall policy rule-collection-group collection remove --name
                                                                   --policy-name
                                                                   --rcg-name --rule-collection-group-name
                                                                   --resource-group
                                                                   [--add]
                                                                   [--force-string {0, 1, f, false, n, no, t, true, y, yes}]
                                                                   [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                                                   [--remove]
                                                                   [--set]

Required Parameters

--name -n

The name of the Firewall Policy Rule Collection Group.

--policy-name

The name of the Firewall Policy.

--rcg-name --rule-collection-group-name

The name of the Firewall Policy Rule Collection Group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

Property Value
Parameter group: Generic Update Arguments
--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

Property Value
Parameter group: Generic Update Arguments
Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--no-wait

Do not wait for the long-running operation to finish.

Property Value
Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--remove

Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.

Property Value
Parameter group: Generic Update Arguments
--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.

Property Value
Parameter group: Generic Update Arguments
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False