az network firewall policy rule-collection-group collection

Note

This reference is part of the azure-firewall extension for the Azure CLI (version 2.45.0 or higher). The extension will automatically install the first time you run an az network firewall policy rule-collection-group collection command. Learn more about extensions.

Manage and configure Azure firewall policy rule collections in the rule collection group.

Currently, Azure Firewall policy support two kinds of rule collections which are Filter collection and NAT collection. There are three kinds of rules which are application rule, network rule and nat rule. NAT collection support having a list of nat rule. Filter collection support including a list of rules(network rule or application rule) in it. But all of rules should be the same type.

Commands

az network firewall policy rule-collection-group collection add-filter-collection

Add a filter collection into an Azure firewall policy rule collection group.

az network firewall policy rule-collection-group collection add-nat-collection

Add a NAT collection into an Azure firewall policy rule collection group.

az network firewall policy rule-collection-group collection list

List all rule collections of an Azure firewall policy rule collection group.

az network firewall policy rule-collection-group collection remove

Remove a rule collection from an Azure firewall policy rule collection group.

az network firewall policy rule-collection-group collection rule

Manage and configure the rule of a filter collection in the rule collection group of Azure firewall policy.

az network firewall policy rule-collection-group collection rule add

Add a rule into an Azure firewall policy rule collection.

az network firewall policy rule-collection-group collection rule remove

Remove a rule from an Azure firewall policy rule collection.

az network firewall policy rule-collection-group collection rule update

Update a rule of an Azure firewall policy rule collection.

az network firewall policy rule-collection-group collection add-filter-collection

Add a filter collection into an Azure firewall policy rule collection group.

Common Rule Arguments are used for both Network rule and Application rule. If you want to add more rules into filter collection, please use "az network policy rule-collection-group collection rule add/remove".

az network firewall policy rule-collection-group collection add-filter-collection --collection-priority
                                                                                  --name
                                                                                  --policy-name
                                                                                  --rcg-name
                                                                                  --resource-group
                                                                                  [--action {Allow, Deny}]
                                                                                  [--description]
                                                                                  [--dest-addr]
                                                                                  [--dest-ipg]
                                                                                  [--destination-fqdns]
                                                                                  [--destination-ports]
                                                                                  [--enable-tls-insp {false, true}]
                                                                                  [--fqdn-tags]
                                                                                  [--ip-protocols {Any, ICMP, TCP, UDP}]
                                                                                  [--protocols]
                                                                                  [--rule-name]
                                                                                  [--rule-type {ApplicationRule, NatRule, NetworkRule}]
                                                                                  [--source-addresses]
                                                                                  [--source-ip-groups]
                                                                                  [--target-fqdns]
                                                                                  [--target-urls]
                                                                                  [--web-categories]

Examples

Add a filter collection with Network rule into the rule collection group

az network firewall policy rule-collection-group collection add-filter-collection -g {rg} --policy-name {policy} --rule-collection-group-name {collectiongroup} --name filter_collection --action Allow --rule-name network_rule --rule-type NetworkRule --description "test" --destination-addresses "202.120.36.15" --source-addresses "202.120.36.13" "202.120.36.14" --destination-ports 12003 12004 --ip-protocols TCP UDP --collection-priority 11002

Add a filter collection with Application rule into the rule collection group

az network firewall policy rule-collection-group collection add-filter-collection -g {rg} --policy-name {policy} --rule-collection-group-name {collectiongroup} --name filter_collection --action Allow --rule-name application_rule --rule-type ApplicationRule --description "test" --destination-addresses "202.120.36.15" "202.120.36.16" --source-addresses "202.120.36.13" "202.120.36.14" --protocols Http=12800 Https=12801 --fqdn-tags AzureBackup HDInsight --collection-priority 11100

Required Parameters

--collection-priority

The priority of the rule in Firewall Policy Rule Collection Group.

--name -n

The name of the collection in Firewall Policy Rule Collection Group.

--policy-name

The name of the Firewall Policy.

--rcg-name --rule-collection-group-name

The name of the Firewall Policy Rule Collection Group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--action

The action type of a rule collection.

accepted values: Allow, Deny
--description

The description of rule.

--dest-addr --destination-addresses

Space-separated list of destination IP addresses.

--dest-ipg --destination-ip-groups

Space-separated list of name or resource id of destination IpGroups.

--destination-fqdns

Space-separated list of destination FQDNs.

--destination-ports

Space-separated list of destination ports. This argument is supported for Nat and Network Rule.

--enable-tls-insp --enable-tls-inspection

Enable flag to terminate TLS connection for this rule.

accepted values: false, true
default value: False
--fqdn-tags

Space-separated list of FQDN tags for this rule.

--ip-protocols

Space-separated list of IP protocols. This argument is supported for Nat and Network Rule.

accepted values: Any, ICMP, TCP, UDP
--protocols

Space-separated list of protocols and port numbers to use, in PROTOCOL=PORT format. Valid protocols are Http, Https.

--rule-name

The name of rule.

--rule-type

The type of rule.

accepted values: ApplicationRule, NatRule, NetworkRule
--source-addresses

Space-separated list of source IP addresses.

--source-ip-groups

Space-separated list of name or resource id of source IpGroups.

--target-fqdns

Space-separated list of FQDNs for this rule.

--target-urls

Space-separated list of target urls for this rule.

--web-categories

Space-separated list of web categories for this rule.

az network firewall policy rule-collection-group collection add-nat-collection

Add a NAT collection into an Azure firewall policy rule collection group.

az network firewall policy rule-collection-group collection add-nat-collection --collection-priority
                                                                               --ip-protocols {Any, ICMP, TCP, UDP}
                                                                               --name
                                                                               --policy-name
                                                                               --rcg-name
                                                                               --resource-group
                                                                               [--action {DNAT, SNAT}]
                                                                               [--description]
                                                                               [--dest-addr]
                                                                               [--destination-ports]
                                                                               [--rule-name]
                                                                               [--source-addresses]
                                                                               [--source-ip-groups]
                                                                               [--translated-address]
                                                                               [--translated-fqdn]
                                                                               [--translated-port]

Examples

Add a NAT collection into the rule collection group

az network firewall policy rule-collection-group collection add-nat-collection -n nat_collection --collection-priority 10003 --policy-name {policy} -g {rg} --rule-collection-group-name {collectiongroup} --action DNAT --rule-name network_rule --description "test" --destination-addresses "202.120.36.15" --source-addresses "202.120.36.13" "202.120.36.14" --translated-address 128.1.1.1 --translated-port 1234 --destination-ports 12000 12001 --ip-protocols TCP UDP

Required Parameters

--collection-priority

The priority of the rule in Firewall Policy Rule Collection Group.

--ip-protocols

Space-separated list of IP protocols. This argument is supported for Nat and Network Rule.

accepted values: Any, ICMP, TCP, UDP
--name -n

The name of the collection in Firewall Policy Rule Collection Group.

--policy-name

The name of the Firewall Policy.

--rcg-name --rule-collection-group-name

The name of the Firewall Policy Rule Collection Group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--action

The action type of a rule collection.

accepted values: DNAT, SNAT
--description

The description of rule.

--dest-addr --destination-addresses

Space-separated list of destination IP addresses.

--destination-ports

Space-separated list of destination ports. This argument is supported for Nat and Network Rule.

--rule-name

The name of rule.

--source-addresses

Space-separated list of source IP addresses.

--source-ip-groups

Space-separated list of name or resource id of source IpGroups.

--translated-address

Translated address for this NAT rule collection.

--translated-fqdn

Translated FQDN for this NAT rule collection.

--translated-port

Translated port for this NAT rule collection.

az network firewall policy rule-collection-group collection list

List all rule collections of an Azure firewall policy rule collection group.

az network firewall policy rule-collection-group collection list --policy-name
                                                                 --rcg-name
                                                                 --resource-group

Required Parameters

--policy-name

The name of the Firewall Policy.

--rcg-name --rule-collection-group-name

The name of the Firewall Policy Rule Collection Group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

az network firewall policy rule-collection-group collection remove

Remove a rule collection from an Azure firewall policy rule collection group.

az network firewall policy rule-collection-group collection remove --name
                                                                   --policy-name
                                                                   --rcg-name
                                                                   --resource-group

Required Parameters

--name -n

The name of the collection in Firewall Policy Rule Collection Group.

--policy-name

The name of the Firewall Policy.

--rcg-name --rule-collection-group-name

The name of the Firewall Policy Rule Collection Group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.