az network firewall policy rule-collection-group collection
Note
This reference is part of the azure-firewall extension for the Azure CLI (version 2.67.0 or higher). The extension will automatically install the first time you run an az network firewall policy rule-collection-group collection command. Learn more about extensions.
Manage and configure Azure firewall policy rule collections in the rule collection group.
Currently, Azure Firewall policy support two kinds of rule collections which are Filter collection and NAT collection. There are three kinds of rules which are application rule, network rule and nat rule. NAT collection support having a list of nat rule. Filter collection support including a list of rules(network rule or application rule) in it. But all of rules should be the same type.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az network firewall policy rule-collection-group collection add-filter-collection |
Add a filter collection into an Azure firewall policy rule collection group. |
Extension | Preview |
| az network firewall policy rule-collection-group collection add-nat-collection |
Add a NAT collection into an Azure firewall policy rule collection group. |
Extension | Preview |
| az network firewall policy rule-collection-group collection list |
List all rule collections of an Azure firewall policy rule collection group. |
Extension | Preview |
| az network firewall policy rule-collection-group collection remove |
Remove a rule collection from an Azure firewall policy rule collection group. |
Extension | Preview |
| az network firewall policy rule-collection-group collection rule |
Manage and configure the rule of a filter collection in the rule collection group of Azure firewall policy. |
Extension | GA |
| az network firewall policy rule-collection-group collection rule add |
Add a rule into an Azure firewall policy rule collection. |
Extension | Preview |
| az network firewall policy rule-collection-group collection rule remove |
Remove a rule from an Azure firewall policy rule collection. |
Extension | Preview |
| az network firewall policy rule-collection-group collection rule update |
Update a rule of an Azure firewall policy rule collection. |
Extension | Preview |
az network firewall policy rule-collection-group collection add-filter-collection
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Add a filter collection into an Azure firewall policy rule collection group.
az network firewall policy rule-collection-group collection add-filter-collection --collection-priority
--name
--policy-name
--rcg-name --rule-collection-group-name
--resource-group
[--action {Allow, Deny}]
[--add]
[--description]
[--dest-addr --destination-addresses]
[--dest-ipg --destination-ip-groups]
[--destination-fqdns]
[--destination-ports]
[--enable-tls-insp --enable-tls-inspection {0, 1, f, false, n, no, t, true, y, yes}]
[--force-string {0, 1, f, false, n, no, t, true, y, yes}]
[--fqdn-tags]
[--http-headers-to-insert]
[--ip-protocols]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--protocols]
[--remove]
[--rule-name]
[--rule-type {ApplicationRule, NatRule, NetworkRule}]
[--set]
[--source-addresses]
[--source-ip-groups]
[--target-fqdns]
[--target-urls]
[--web-categories]Examples
Add a filter collection with Network rule into the rule collection group
az network firewall policy rule-collection-group collection add-filter-collection -g {rg}
--policy-name {policy} --rule-collection-group-name {collectiongroup} --name
filter_collection --action Allow --rule-name network_rule --rule-type NetworkRule
--description "test" --destination-addresses "202.120.36.15" --source-addresses
"202.120.36.13" "202.120.36.14" --destination-ports 12003 12004 --ip-protocols TCP UDP
--collection-priority 11002Add a filter collection with Application rule into the rule collection group
az network firewall policy rule-collection-group collection add-filter-collection -g {rg}
--policy-name {policy} --rule-collection-group-name {collectiongroup} --name
filter_collection --action Allow --rule-name application_rule --rule-type ApplicationRule
--description "test" --destination-addresses "202.120.36.15" "202.120.36.16" --source-
addresses "202.120.36.13" "202.120.36.14" --protocols Http=12800 Https=12801 --fqdn-tags
AzureBackup HDInsight --collection-priority 11100Required Parameters
The priority of the rule in Firewall Policy Rule Collection Group.
The name of the Firewall Policy Rule Collection Group.
The name of the Firewall Policy.
The name of the Firewall Policy Rule Collection Group.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
The action type of a rule collection.
| Property | Value |
|---|---|
| Accepted values: | Allow, Deny |
Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
The description of rule.
| Property | Value |
|---|---|
| Parameter group: | Common Rule Arguments |
Space-separated list of destination IP addresses. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Common Rule Arguments |
Space-separated list of name or resource id of destination IpGroups. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Network Rule Arguments |
Space-separated list of destination FQDNs. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Network Rule Arguments |
Space-separated list of destination ports. This argument is supported for Nat and Network Rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Common Rule Arguments |
Enable flag to terminate TLS connection for this rule.
| Property | Value |
|---|---|
| Parameter group: | Application Rule Arguments |
| Default value: | False |
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
Space-separated list of FQDN tags for this rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Application Rule Arguments |
Space-separated list of HTTP headers to insert. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Application Rule Arguments |
Space-separated list of IP protocols. This argument is supported for Nat and Network Rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Common Rule Arguments |
Do not wait for the long-running operation to finish.
| Property | Value |
|---|---|
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
Space-separated list of protocols and port numbers to use, in PROTOCOL=PORT format. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Application Rule Arguments |
Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
The name of rule.
| Property | Value |
|---|---|
| Parameter group: | Common Rule Arguments |
The type of rule.
| Property | Value |
|---|---|
| Parameter group: | Common Rule Arguments |
| Accepted values: | ApplicationRule, NatRule, NetworkRule |
Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
Space-separated list of source IP ddresses. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Common Rule Arguments |
Space-separated list of name or resource id of source IpGroups. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Common Rule Arguments |
Space-separated list of FQDNs for this rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Application Rule Arguments |
Space-separated list of target urls for this rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Application Rule Arguments |
Space-separated list of web categories for this rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Application Rule Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az network firewall policy rule-collection-group collection add-nat-collection
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Add a NAT collection into an Azure firewall policy rule collection group.
az network firewall policy rule-collection-group collection add-nat-collection --collection-priority
--ip-protocols
--name
--policy-name
--rcg-name --rule-collection-group-name
--resource-group
[--action {DNAT, SNAT}]
[--add]
[--description]
[--dest-addr --destination-addresses]
[--destination-ports]
[--force-string {0, 1, f, false, n, no, t, true, y, yes}]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--remove]
[--rule-name]
[--set]
[--source-addresses]
[--source-ip-groups]
[--translated-address]
[--translated-fqdn]
[--translated-port]Examples
Add a NAT collection into the rule collection group
az network firewall policy rule-collection-group collection add-nat-collection -n
nat_collection --collection-priority 10003 --policy-name {policy} -g {rg} --rule-collection-
group-name {collectiongroup} --action DNAT --rule-name network_rule --description "test"
--destination-addresses "202.120.36.15" --source-addresses "202.120.36.13" "202.120.36.14"
--translated-address 128.1.1.1 --translated-port 1234 --destination-ports 12000 12001 --ip-
protocols TCP UDPRequired Parameters
The priority of the rule in Firewall Policy Rule Collection Group.
Space-separated list of IP protocols. This argument is supported for Nat and Network Rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Common Rule Arguments |
The name of the Firewall Policy Rule Collection Group.
The name of the Firewall Policy.
The name of the Firewall Policy Rule Collection Group.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
The action type of a rule collection.
| Property | Value |
|---|---|
| Accepted values: | DNAT, SNAT |
Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
The description of rule.
| Property | Value |
|---|---|
| Parameter group: | Common Rule Arguments |
Space-separated list of destination IP addresses. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Common Rule Arguments |
Space-separated list of destination ports. This argument is supported for Nat and Network Rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Common Rule Arguments |
When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
Do not wait for the long-running operation to finish.
| Property | Value |
|---|---|
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
The name of rule.
| Property | Value |
|---|---|
| Parameter group: | Common Rule Arguments |
Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
Space-separated list of source IP ddresses. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Common Rule Arguments |
Space-separated list of name or resource id of source IpGroups. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Common Rule Arguments |
Translated address for this NAT rule collection.
| Property | Value |
|---|---|
| Parameter group: | Nat Rule Arguments |
Translated FQDN for this NAT rule collection.
| Property | Value |
|---|---|
| Parameter group: | Nat Rule Arguments |
Translated port for this NAT rule collection.
| Property | Value |
|---|---|
| Parameter group: | Nat Rule Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az network firewall policy rule-collection-group collection list
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
List all rule collections of an Azure firewall policy rule collection group.
az network firewall policy rule-collection-group collection list --policy-name
--rcg-name --rule-collection-group-name
--resource-groupRequired Parameters
The name of the Firewall Policy.
The name of the Firewall Policy Rule Collection Group.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az network firewall policy rule-collection-group collection remove
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Remove a rule collection from an Azure firewall policy rule collection group.
az network firewall policy rule-collection-group collection remove --name
--policy-name
--rcg-name --rule-collection-group-name
--resource-group
[--add]
[--force-string {0, 1, f, false, n, no, t, true, y, yes}]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--remove]
[--set]Required Parameters
The name of the Firewall Policy Rule Collection Group.
The name of the Firewall Policy.
The name of the Firewall Policy Rule Collection Group.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
Do not wait for the long-running operation to finish.
| Property | Value |
|---|---|
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
