az network firewall policy

Note

This reference is part of the azure-firewall extension for the Azure CLI (version 2.55.0 or higher). The extension will automatically install the first time you run an az network firewall policy command. Learn more about extensions.

Manage and configure Azure firewall policy.

Commands

Name	Description	Type	Status
az network firewall policy create	Create an Azure firewall policy.	Extension	GA
az network firewall policy delete	Delete an Azure firewall policy.	Extension	GA
az network firewall policy intrusion-detection	Manage intrusion signature rules and bypass rules.	Extension	GA
az network firewall policy intrusion-detection add	Update an Azure firewall policy.	Extension	GA
az network firewall policy intrusion-detection list	List all intrusion detection configuration.	Extension	Preview
az network firewall policy intrusion-detection remove	Update an Azure firewall policy.	Extension	GA
az network firewall policy list	List all Azure firewall policies.	Extension	GA
az network firewall policy rule-collection-group	Manage and configure Azure firewall policy rule collection group.	Extension	GA
az network firewall policy rule-collection-group collection	Manage and configure Azure firewall policy rule collections in the rule collection group.	Extension	GA
az network firewall policy rule-collection-group collection add-filter-collection	Add a filter collection into an Azure firewall policy rule collection group.	Extension	Preview
az network firewall policy rule-collection-group collection add-nat-collection	Add a NAT collection into an Azure firewall policy rule collection group.	Extension	Preview
az network firewall policy rule-collection-group collection list	List all rule collections of an Azure firewall policy rule collection group.	Extension	Preview
az network firewall policy rule-collection-group collection remove	Remove a rule collection from an Azure firewall policy rule collection group.	Extension	Preview
az network firewall policy rule-collection-group collection rule	Manage and configure the rule of a filter collection in the rule collection group of Azure firewall policy.	Extension	GA
az network firewall policy rule-collection-group collection rule add	Add a rule into an Azure firewall policy rule collection.	Extension	Preview
az network firewall policy rule-collection-group collection rule remove	Remove a rule from an Azure firewall policy rule collection.	Extension	Preview
az network firewall policy rule-collection-group collection rule update	Update a rule of an Azure firewall policy rule collection.	Extension	Preview
az network firewall policy rule-collection-group create	Create an Azure firewall policy rule collection group.	Extension	Preview
az network firewall policy rule-collection-group delete	Delete an Azure Firewall policy rule collection group.	Extension	Preview
az network firewall policy rule-collection-group list	List all Azure firewall policy rule collection groups.	Extension	Preview
az network firewall policy rule-collection-group show	Show an Azure firewall policy rule collection group.	Extension	Preview
az network firewall policy rule-collection-group update	Update an Azure firewall policy rule collection group.	Extension	Preview
az network firewall policy rule-collection-group wait	Place the CLI in a waiting state until a condition is met.	Extension	GA
az network firewall policy show	Show an Azure firewall policy.	Extension	GA
az network firewall policy update	Update an Azure firewall policy.	Extension	GA
az network firewall policy wait	Place the CLI in a waiting state until a condition is met.	Extension	GA

az network firewall policy create

Create an Azure firewall policy.

az network firewall policy create --name
                                  --resource-group
                                  [--auto-learn-private-ranges {Disabled, Enabled}]
                                  [--base-policy]
                                  [--cert-name]
                                  [--dns-servers]
                                  [--enable-dns-proxy {0, 1, f, false, n, no, t, true, y, yes}]
                                  [--explicit-proxy]
                                  [--fqdns]
                                  [--identity]
                                  [--idps-mode {Alert, Deny, Off}]
                                  [--ip-addresses]
                                  [--key-vault-secret-id]
                                  [--location]
                                  [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                  [--private-ranges]
                                  [--sku {Basic, Premium, Standard}]
                                  [--sql {0, 1, f, false, n, no, t, true, y, yes}]
                                  [--tags]
                                  [--threat-intel-mode {Alert, Deny, Off}]

Required Parameters

--name -n

The name of the Firewall Policy.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--auto-learn-private-ranges --learn-ranges

The operation mode for automatically learning private ranges to not be SNAT.

accepted values: Disabled, Enabled

--base-policy

The name or ID of parent firewall policy from which rules are inherited.

--cert-name

Preview

Name of the CA certificate.

--dns-servers

Space-separated list of DNS server IP addresses. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--enable-dns-proxy

Enable DNS Proxy.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--explicit-proxy

Explicit Proxy Settings definition. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--fqdns

Space-separated list of FQDNs. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--identity

Name or ID of the ManagedIdentity Resource.

--idps-mode

Preview

IDPS mode.

accepted values: Alert, Deny, Off

--ip-addresses

Space-separated list of IPv4 addresses. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--key-vault-secret-id

Preview

Secret Id of (base-64 encoded unencrypted pfx) Secret or Certificate object stored in KeyVault.

--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

--no-wait

Do not wait for the long-running operation to finish.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--private-ranges

List of private IP addresses/IP address ranges to not be SNAT. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--sku

Preview

SKU of Firewall policy.

accepted values: Basic, Premium, Standard

--sql

Preview

A flag to indicate if SQL Redirect traffic filtering is enabled.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--threat-intel-mode

The operation mode for Threat Intelligence.

accepted values: Alert, Deny, Off

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc

default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network firewall policy delete

Delete an Azure firewall policy.

az network firewall policy delete [--ids]
                                  [--name]
                                  [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                  [--resource-group]
                                  [--subscription]

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

The name of the Firewall Policy.

--no-wait

Do not wait for the long-running operation to finish.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc

default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network firewall policy list

List all Azure firewall policies.

az network firewall policy list [--max-items]
                                [--next-token]
                                [--resource-group]

Optional Parameters

--max-items

Total number of items to return in the command's output. If the total number of items available is more than the value specified, a token is provided in the command's output. To resume pagination, provide the token value in --next-token argument of a subsequent command.

--next-token

Token to specify where to start paginating. This is the token value from a previously truncated response.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc

default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network firewall policy show

Show an Azure firewall policy.

az network firewall policy show [--expand]
                                [--ids]
                                [--name]
                                [--resource-group]
                                [--subscription]

Optional Parameters

--expand

Expands referenced resources. Default value is None.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

The name of the Firewall Policy.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc

default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network firewall policy update

Update an Azure firewall policy.

az network firewall policy update [--add]
                                  [--auto-learn-private-ranges {Disabled, Enabled}]
                                  [--cert-name]
                                  [--dns-servers]
                                  [--enable-dns-proxy {0, 1, f, false, n, no, t, true, y, yes}]
                                  [--explicit-proxy]
                                  [--force-string {0, 1, f, false, n, no, t, true, y, yes}]
                                  [--fqdns]
                                  [--identity]
                                  [--idps-mode {Alert, Deny, Off}]
                                  [--ids]
                                  [--ip-addresses]
                                  [--key-vault-secret-id]
                                  [--name]
                                  [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                  [--private-ranges]
                                  [--remove]
                                  [--resource-group]
                                  [--set]
                                  [--sku {Basic, Premium, Standard}]
                                  [--sql {0, 1, f, false, n, no, t, true, y, yes}]
                                  [--subscription]
                                  [--tags]
                                  [--threat-intel-mode {Alert, Deny, Off}]

Optional Parameters

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--auto-learn-private-ranges --learn-ranges

The operation mode for automatically learning private ranges to not be SNAT.

accepted values: Disabled, Enabled

--cert-name

Preview

Name of the CA certificate.

--dns-servers

Space-separated list of DNS server IP addresses. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--enable-dns-proxy

Enable DNS Proxy.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--explicit-proxy

Explicit Proxy Settings definition. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--fqdns

Space-separated list of FQDNs. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--identity

Name or ID of the ManagedIdentity Resource.

--idps-mode

Preview

IDPS mode.

accepted values: Alert, Deny, Off

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--ip-addresses

Space-separated list of IPv4 addresses. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--key-vault-secret-id

Preview

Secret Id of (base-64 encoded unencrypted pfx) Secret or Certificate object stored in KeyVault.

--name -n

The name of the Firewall Policy.

--no-wait

Do not wait for the long-running operation to finish.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--private-ranges

List of private IP addresses/IP address ranges to not be SNAT. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--remove

Remove a property or an element from a list. Example: --remove property.list OR --remove propertyToRemove.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=.

--sku

SKU of Firewall policy.

accepted values: Basic, Premium, Standard

--sql

Preview

A flag to indicate if SQL Redirect traffic filtering is enabled.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--threat-intel-mode

The operation mode for Threat Intelligence.

accepted values: Alert, Deny, Off

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc

default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network firewall policy wait

Place the CLI in a waiting state until a condition is met.

az network firewall policy wait [--created]
                                [--custom]
                                [--deleted]
                                [--exists]
                                [--expand]
                                [--ids]
                                [--interval]
                                [--name]
                                [--resource-group]
                                [--subscription]
                                [--timeout]
                                [--updated]

Optional Parameters

--created

Wait until created with 'provisioningState' at 'Succeeded'.

default value: False

--custom

Wait until the condition satisfies a custom JMESPath query. E.g. provisioningState!='InProgress', instanceView.statuses[?code=='PowerState/running'].

--deleted

Wait until deleted.

default value: False

--exists

Wait until the resource exists.

default value: False

--expand

Expands referenced resources. Default value is None.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--interval

Polling interval in seconds.

default value: 30

--name -n

The name of the Firewall Policy.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--timeout

Maximum wait in seconds.

default value: 3600

--updated

Wait until updated with provisioningState at 'Succeeded'.

default value: False

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc

default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.