az network firewall policy rule-collection-group collection
Note
This reference is part of the azure-firewall extension for the Azure CLI (version 2.45.0 or higher). The extension will automatically install the first time you run an az network firewall policy rule-collection-group collection command. Learn more about extensions.
Manage and configure Azure firewall policy rule collections in the rule collection group.
Currently, Azure Firewall policy support two kinds of rule collections which are Filter collection and NAT collection. There are three kinds of rules which are application rule, network rule and nat rule. NAT collection support having a list of nat rule. Filter collection support including a list of rules(network rule or application rule) in it. But all of rules should be the same type.
Commands
| az network firewall policy rule-collection-group collection add-filter-collection |
Add a filter collection into an Azure firewall policy rule collection group. |
| az network firewall policy rule-collection-group collection add-nat-collection |
Add a NAT collection into an Azure firewall policy rule collection group. |
| az network firewall policy rule-collection-group collection list |
List all rule collections of an Azure firewall policy rule collection group. |
| az network firewall policy rule-collection-group collection remove |
Remove a rule collection from an Azure firewall policy rule collection group. |
| az network firewall policy rule-collection-group collection rule |
Manage and configure the rule of a filter collection in the rule collection group of Azure firewall policy. |
| az network firewall policy rule-collection-group collection rule add |
Add a rule into an Azure firewall policy rule collection. |
| az network firewall policy rule-collection-group collection rule remove |
Remove a rule from an Azure firewall policy rule collection. |
| az network firewall policy rule-collection-group collection rule update |
Update a rule of an Azure firewall policy rule collection. |
az network firewall policy rule-collection-group collection add-filter-collection
Add a filter collection into an Azure firewall policy rule collection group.
Common Rule Arguments are used for both Network rule and Application rule. If you want to add more rules into filter collection, please use "az network policy rule-collection-group collection rule add/remove".
az network firewall policy rule-collection-group collection add-filter-collection --collection-priority
--name
--policy-name
--rcg-name
--resource-group
[--action {Allow, Deny}]
[--description]
[--dest-addr]
[--dest-ipg]
[--destination-fqdns]
[--destination-ports]
[--enable-tls-insp {false, true}]
[--fqdn-tags]
[--ip-protocols {Any, ICMP, TCP, UDP}]
[--protocols]
[--rule-name]
[--rule-type {ApplicationRule, NatRule, NetworkRule}]
[--source-addresses]
[--source-ip-groups]
[--target-fqdns]
[--target-urls]
[--web-categories]Examples
Add a filter collection with Network rule into the rule collection group
az network firewall policy rule-collection-group collection add-filter-collection -g {rg} --policy-name {policy} --rule-collection-group-name {collectiongroup} --name filter_collection --action Allow --rule-name network_rule --rule-type NetworkRule --description "test" --destination-addresses "202.120.36.15" --source-addresses "202.120.36.13" "202.120.36.14" --destination-ports 12003 12004 --ip-protocols TCP UDP --collection-priority 11002Add a filter collection with Application rule into the rule collection group
az network firewall policy rule-collection-group collection add-filter-collection -g {rg} --policy-name {policy} --rule-collection-group-name {collectiongroup} --name filter_collection --action Allow --rule-name application_rule --rule-type ApplicationRule --description "test" --destination-addresses "202.120.36.15" "202.120.36.16" --source-addresses "202.120.36.13" "202.120.36.14" --protocols Http=12800 Https=12801 --fqdn-tags AzureBackup HDInsight --collection-priority 11100Required Parameters
The priority of the rule in Firewall Policy Rule Collection Group.
The name of the collection in Firewall Policy Rule Collection Group.
The name of the Firewall Policy.
The name of the Firewall Policy Rule Collection Group.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Optional Parameters
The action type of a rule collection.
The description of rule.
Space-separated list of destination IP addresses.
Space-separated list of name or resource id of destination IpGroups.
Space-separated list of destination FQDNs.
Space-separated list of destination ports. This argument is supported for Nat and Network Rule.
Enable flag to terminate TLS connection for this rule.
Space-separated list of FQDN tags for this rule.
Space-separated list of IP protocols. This argument is supported for Nat and Network Rule.
Space-separated list of protocols and port numbers to use, in PROTOCOL=PORT format. Valid protocols are Http, Https.
The name of rule.
The type of rule.
Space-separated list of source IP addresses.
Space-separated list of name or resource id of source IpGroups.
Space-separated list of FQDNs for this rule.
Space-separated list of target urls for this rule.
Space-separated list of web categories for this rule.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network firewall policy rule-collection-group collection add-nat-collection
Add a NAT collection into an Azure firewall policy rule collection group.
az network firewall policy rule-collection-group collection add-nat-collection --collection-priority
--ip-protocols {Any, ICMP, TCP, UDP}
--name
--policy-name
--rcg-name
--resource-group
[--action {DNAT, SNAT}]
[--description]
[--dest-addr]
[--destination-ports]
[--rule-name]
[--source-addresses]
[--source-ip-groups]
[--translated-address]
[--translated-fqdn]
[--translated-port]Examples
Add a NAT collection into the rule collection group
az network firewall policy rule-collection-group collection add-nat-collection -n nat_collection --collection-priority 10003 --policy-name {policy} -g {rg} --rule-collection-group-name {collectiongroup} --action DNAT --rule-name network_rule --description "test" --destination-addresses "202.120.36.15" --source-addresses "202.120.36.13" "202.120.36.14" --translated-address 128.1.1.1 --translated-port 1234 --destination-ports 12000 12001 --ip-protocols TCP UDPRequired Parameters
The priority of the rule in Firewall Policy Rule Collection Group.
Space-separated list of IP protocols. This argument is supported for Nat and Network Rule.
The name of the collection in Firewall Policy Rule Collection Group.
The name of the Firewall Policy.
The name of the Firewall Policy Rule Collection Group.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Optional Parameters
The action type of a rule collection.
The description of rule.
Space-separated list of destination IP addresses.
Space-separated list of destination ports. This argument is supported for Nat and Network Rule.
The name of rule.
Space-separated list of source IP addresses.
Space-separated list of name or resource id of source IpGroups.
Translated address for this NAT rule collection.
Translated FQDN for this NAT rule collection.
Translated port for this NAT rule collection.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network firewall policy rule-collection-group collection list
List all rule collections of an Azure firewall policy rule collection group.
az network firewall policy rule-collection-group collection list --policy-name
--rcg-name
--resource-groupRequired Parameters
The name of the Firewall Policy.
The name of the Firewall Policy Rule Collection Group.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network firewall policy rule-collection-group collection remove
Remove a rule collection from an Azure firewall policy rule collection group.
az network firewall policy rule-collection-group collection remove --name
--policy-name
--rcg-name
--resource-groupRequired Parameters
The name of the collection in Firewall Policy Rule Collection Group.
The name of the Firewall Policy.
The name of the Firewall Policy Rule Collection Group.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Feedback
Submit and view feedback for