az network firewall

Note

This reference is part of the azure-firewall extension for the Azure CLI (version 2.45.0 or higher). The extension will automatically install the first time you run an az network firewall command. Learn more about extensions.

Manage and configure Azure Firewalls.

Commands

az network firewall application-rule	Manage and configure Azure Firewall application rules.
az network firewall application-rule collection	Manage and configure Azure Firewall application rule collections.
az network firewall application-rule collection delete	Delete an Azure Firewall application rule collection.
az network firewall application-rule collection list	List Azure Firewall application rule collections.
az network firewall application-rule collection show	Get the details of an Azure Firewall application rule collection.
az network firewall application-rule create	Create an Azure Firewall application rule.
az network firewall application-rule delete	Delete an Azure Firewall application rule.
az network firewall application-rule list	List Azure Firewall application rules.
az network firewall application-rule show	Get the details of an Azure Firewall application rule.
az network firewall create	Create an Azure Firewall.
az network firewall delete	Delete an Azure Firewall.
az network firewall ip-config	Manage and configure Azure Firewall IP configurations.
az network firewall ip-config create	Create an Azure Firewall IP configuration.
az network firewall ip-config delete	Delete an Azure Firewall IP configuration.
az network firewall ip-config list	List Azure Firewall IP configurations.
az network firewall ip-config show	Get the details of an Azure Firewall IP configuration.
az network firewall learned-ip-prefix	Retrieves a list of all IP prefixes that azure firewall has learned to not SNAT.
az network firewall list	List Azure Firewalls.
az network firewall list-fqdn-tags	Gets all the Azure Firewall FQDN Tags in a subscription.
az network firewall management-ip-config	Manage and configure Azure Firewall Management IP configurations.
az network firewall management-ip-config show	Get the details of an Azure Firewall Management IP configuration.
az network firewall management-ip-config update	Update an Azure Firewall Management IP configuration.
az network firewall nat-rule	Manage and configure Azure Firewall NAT rules.
az network firewall nat-rule collection	Manage and configure Azure Firewall NAT rules.
az network firewall nat-rule collection delete	Delete an Azure Firewall NAT rule collection.
az network firewall nat-rule collection list	List Azure Firewall NAT rule collections.
az network firewall nat-rule collection show	Get the details of an Azure Firewall NAT rule collection.
az network firewall nat-rule create	Create an Azure Firewall NAT rule.
az network firewall nat-rule delete	Delete an Azure Firewall NAT rule.
az network firewall nat-rule list	List Azure Firewall NAT rules.
az network firewall nat-rule show	Get the details of an Azure Firewall NAT rule.
az network firewall network-rule	Manage and configure Azure Firewall network rules.
az network firewall network-rule collection	Manage and configure Azure Firewall network rule collections.
az network firewall network-rule collection delete	Delete an Azure Firewall network rule collection.
az network firewall network-rule collection list	List Azure Firewall network rule collections.
az network firewall network-rule collection show	Get the details of an Azure Firewall network rule collection.
az network firewall network-rule create	Create an Azure Firewall network rule.
az network firewall network-rule delete	Delete an Azure Firewall network rule. If you want to delete the last rule in a collection, please delete the collection instead.
az network firewall network-rule list	List Azure Firewall network rules.
az network firewall network-rule show	Get the details of an Azure Firewall network rule.
az network firewall policy	Manage and configure Azure firewall policy.
az network firewall policy create	Create an Azure firewall policy.
az network firewall policy delete	Delete an Azure firewall policy.
az network firewall policy intrusion-detection	Manage intrusion signature rules and bypass rules.
az network firewall policy intrusion-detection add	Add overrided intrusion signature or a bypass rule or private ranges list for intrusion detection.
az network firewall policy intrusion-detection list	List all intrusion detection configuration.
az network firewall policy intrusion-detection remove	Remove overrided intrusion signature or a bypass rule.
az network firewall policy list	List all Azure firewall policies.
az network firewall policy rule-collection-group	Manage and configure Azure firewall policy rule collection group.
az network firewall policy rule-collection-group collection	Manage and configure Azure firewall policy rule collections in the rule collection group.
az network firewall policy rule-collection-group collection add-filter-collection	Add a filter collection into an Azure firewall policy rule collection group.
az network firewall policy rule-collection-group collection add-nat-collection	Add a NAT collection into an Azure firewall policy rule collection group.
az network firewall policy rule-collection-group collection list	List all rule collections of an Azure firewall policy rule collection group.
az network firewall policy rule-collection-group collection remove	Remove a rule collection from an Azure firewall policy rule collection group.
az network firewall policy rule-collection-group collection rule	Manage and configure the rule of a filter collection in the rule collection group of Azure firewall policy.
az network firewall policy rule-collection-group collection rule add	Add a rule into an Azure firewall policy rule collection.
az network firewall policy rule-collection-group collection rule remove	Remove a rule from an Azure firewall policy rule collection.
az network firewall policy rule-collection-group collection rule update	Update a rule of an Azure firewall policy rule collection.
az network firewall policy rule-collection-group create	Create an Azure firewall policy rule collection group.
az network firewall policy rule-collection-group delete	Delete an Azure Firewall policy rule collection group.
az network firewall policy rule-collection-group list	List all Azure firewall policy rule collection groups.
az network firewall policy rule-collection-group show	Show an Azure firewall policy rule collection group.
az network firewall policy rule-collection-group update	Update an Azure firewall policy rule collection group.
az network firewall policy show	Show an Azure firewall policy.
az network firewall policy update	Update an Azure firewall policy.
az network firewall policy wait	Place the CLI in a waiting state until a condition is met.
az network firewall show	Get the details of an Azure Firewall.
az network firewall threat-intel-allowlist	Manage and configure Azure Firewall Threat Intelligence Allow List.
az network firewall threat-intel-allowlist create	Create an Azure Firewall Threat Intelligence Allow List.
az network firewall threat-intel-allowlist delete	Delete an Azure Firewall Threat Intelligence Allow List.
az network firewall threat-intel-allowlist show	Get the details of an Azure Firewall Threat Intelligence Allow List.
az network firewall threat-intel-allowlist update	Update Azure Firewall Threat Intelligence Allow List.
az network firewall update	Update an Azure Firewall.
az network firewall wait	Place the CLI in a waiting state until a condition is met.

az network firewall create

Create an Azure Firewall.

az network firewall create --name
                           --resource-group
                           [--allow-active-ftp {0, 1, f, false, n, no, t, true, y, yes}]
                           [--conf-name]
                           [--count]
                           [--dns-servers]
                           [--enable-dns-proxy {0, 1, f, false, n, no, t, true, y, yes}]
                           [--enable-fat-flow-logging {0, 1, f, false, n, no, t, true, y, yes}]
                           [--enable-udp-log-optimization {0, 1, f, false, n, no, t, true, y, yes}]
                           [--firewall-policy]
                           [--location]
                           [--m-conf-name]
                           [--m-public-ip]
                           [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                           [--private-ranges]
                           [--public-ip]
                           [--route-server-id]
                           [--sku {AZFW_Hub, AZFW_VNet}]
                           [--tags]
                           [--threat-intel-mode {Alert, Deny, Off}]
                           [--tier {Basic, Premium, Standard}]
                           [--vhub]
                           [--vnet-name]
                           [--zones]

Examples

Create a Azure firewall with private ranges

az network firewall create -g MyResourceGroup -n MyFirewall --private-ranges 10.0.0.0 10.0.0.0/16 IANAPrivateRanges

Create a Virtual WAN Secure Hub Firewall

az network firewall create -g MyResourceGroup -n MyFirewall --sku AZFW_Hub --tier Standard --virtual-hub MyVirtualHub1 --public-ip-count 1

Create a Basic SKU Firewall with Management IP Configuration

az network firewall create -g MyResourceGroup -n MyFirewall --sku AZFW_VNet --tier Basic --vnet-name MyVNet --conf-name MyIpConfig --m-conf-name MyManagementIpConfig --m-public-ip MyPublicIp

Create a Basic SKU Firewall with Virtual Hub

az network firewall create -g MyResourceGroup -n MyFirewall --sku AZFW_Hub --tier Basic --vhub MyVHub --public-ip-count 2

Required Parameters

--name -n

Azure Firewall name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--allow-active-ftp

Allow Active FTP. By default it is false. It's only allowed for azure firewall on virtual network.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--conf-name

Name of the IP configuration.

--count --public-ip-count

Number of Public IP Address associated with azure firewall. It's used to add public ip addresses into this firewall.

--dns-servers

Space-separated list of DNS server IP addresses. Support shorthand-syntax, json-file and yaml-file. Try ?? to show more.

--enable-dns-proxy

Enable DNS Proxy.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--enable-fat-flow-logging --fat-flow-logging

Allow fat flow logging. By default it is false.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--enable-udp-log-optimization --udp-log-optimization

Allow UDP log optimization. By default it is false.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--firewall-policy --policy

Name or ID of the firewallPolicy associated with this azure firewall.

--location -l

Resource location.

--m-conf-name

Name of the management IP configuration.

--m-public-ip

Name or ID of the public IP to use for management IP configuration.

--no-wait

Do not wait for the long-running operation to finish.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--private-ranges

Space-separated list of SNAT privaterange. Validate values are single Ip, Ipprefixes or a single special value "IANAPrivateRanges". Support shorthand-syntax, json-file and yaml-file. Try ?? to show more.

--public-ip

Name or ID of the public IP to use.

--route-server-id

The Route Server Id for the firewall.

--sku

SKU of Azure firewall. This field cannot be updated after the creation. The default sku in server end is AZFW_VNet. If you want to attach azure firewall to vhub, you should set sku to AZFW_Hub.

accepted values: AZFW_Hub, AZFW_VNet

--tags

Resource tags. Support shorthand-syntax, json-file and yaml-file. Try ?? to show more.

--threat-intel-mode

The operation mode for Threat Intelligence.

accepted values: Alert, Deny, Off

--tier

Tier of an azure firewall. --tier will take effect only when --sku is set.

accepted values: Basic, Premium, Standard

default value: Standard

--vhub --virtual-hub

Name or ID of the virtualHub to which the firewall belongs.

--vnet-name

The virtual network (VNet) name. It should contain one subnet called "AzureFirewallSubnet".

--zones -z

Space-separated list of availability zones into which to provision the resource. Allowed values: 1, 2, 3. Support shorthand-syntax, json-file and yaml-file. Try ?? to show more.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network firewall delete

Delete an Azure Firewall.

az network firewall delete [--ids]
                           [--name]
                           [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                           [--resource-group]
                           [--subscription]

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

Azure Firewall name.

--no-wait

Do not wait for the long-running operation to finish.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network firewall learned-ip-prefix

Retrieves a list of all IP prefixes that azure firewall has learned to not SNAT.

az network firewall learned-ip-prefix [--ids]
                                      [--name]
                                      [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                      [--resource-group]
                                      [--subscription]

Examples

List Learned IP Prefixes

az network firewall learned-ip-prefix -g MyResourceGroup -n MyFirewall

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

Azure Firewall name.

--no-wait

Do not wait for the long-running operation to finish.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network firewall list

List Azure Firewalls.

az network firewall list [--resource-group]

Optional Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network firewall list-fqdn-tags

Gets all the Azure Firewall FQDN Tags in a subscription.

:keyword api_version: Api Version. Default value is "2021-08-01". Note that overriding this default value may result in unsupported behavior. :paramtype api_version: str :keyword callable cls: A custom type or function that will be passed the direct response :return: An iterator like instance of either AzureFirewallFqdnTagListResult or the result of cls(response) :rtype: ~azure.core.paging.ItemPaged[~azure.mgmt.network.v2021_08_01.models.AzureFirewallFqdnTagListResult] :raises: ~azure.core.exceptions.HttpResponseError.

az network firewall list-fqdn-tags

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network firewall show

Get the details of an Azure Firewall.

az network firewall show [--ids]
                         [--name]
                         [--resource-group]
                         [--subscription]

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

Azure Firewall name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network firewall update

Update an Azure Firewall.

az network firewall update [--add]
                           [--allow-active-ftp {0, 1, f, false, n, no, t, true, y, yes}]
                           [--count]
                           [--dns-servers]
                           [--enable-dns-proxy {0, 1, f, false, n, no, t, true, y, yes}]
                           [--enable-fat-flow-logging {0, 1, f, false, n, no, t, true, y, yes}]
                           [--enable-udp-log-optimization {0, 1, f, false, n, no, t, true, y, yes}]
                           [--firewall-policy]
                           [--force-string {0, 1, f, false, n, no, t, true, y, yes}]
                           [--ids]
                           [--name]
                           [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                           [--private-ranges]
                           [--public-ips]
                           [--remove]
                           [--resource-group]
                           [--route-server-id]
                           [--set]
                           [--subscription]
                           [--tags]
                           [--threat-intel-mode {Alert, Deny, Off}]
                           [--vhub]
                           [--zones]

Optional Parameters

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--allow-active-ftp

Allow Active FTP. By default it is false. It's only allowed for azure firewall on virtual network.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--count --public-ip-count

Number of Public IP Address associated with azure firewall. It's used to add public ip addresses into this firewall.

--dns-servers

Space-separated list of DNS server IP addresses. Support shorthand-syntax, json-file and yaml-file. Try ?? to show more.

--enable-dns-proxy

Enable DNS Proxy.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--enable-fat-flow-logging --fat-flow-logging

Allow fat flow logging. By default it is false.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--enable-udp-log-optimization --udp-log-optimization

Allow UDP log optimization. By default it is false.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--firewall-policy --policy

Name or ID of the firewallPolicy associated with this azure firewall.

--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

Azure Firewall name.

--no-wait

Do not wait for the long-running operation to finish.

accepted values: 0, 1, f, false, n, no, t, true, y, yes

--private-ranges

Space-separated list of SNAT privaterange. Validate values are single Ip, Ipprefixes or a single special value "IANAPrivateRanges". Support shorthand-syntax, json-file and yaml-file. Try ?? to show more.

--public-ips

Space-separated list of Public IP addresses associated with azure firewall. It's used to delete public ip addresses from this firewall. Support shorthand-syntax, json-file and yaml-file. Try ?? to show more.

--remove

Remove a property or an element from a list. Example: --remove property.list OR --remove propertyToRemove.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--route-server-id

The Route Server Id for the firewall.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Resource tags. Support shorthand-syntax, json-file and yaml-file. Try ?? to show more.

--threat-intel-mode

The operation mode for Threat Intelligence.

accepted values: Alert, Deny, Off

--vhub --virtual-hub

Name or ID of the virtualHub to which the firewall belongs.

--zones -z

Space-separated list of availability zones into which to provision the resource. Allowed values: 1, 2, 3. Support shorthand-syntax, json-file and yaml-file. Try ?? to show more.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network firewall wait

Place the CLI in a waiting state until a condition is met.

az network firewall wait [--created]
                         [--custom]
                         [--deleted]
                         [--exists]
                         [--ids]
                         [--interval]
                         [--name]
                         [--resource-group]
                         [--subscription]
                         [--timeout]
                         [--updated]

Optional Parameters

--created

Wait until created with 'provisioningState' at 'Succeeded'.

default value: False

--custom

Wait until the condition satisfies a custom JMESPath query. E.g. provisioningState!='InProgress', instanceView.statuses[?code=='PowerState/running'].

--deleted

Wait until deleted.

default value: False

--exists

Wait until the resource exists.

default value: False

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--interval

Polling interval in seconds.

default value: 30

--name -n

Azure Firewall name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--timeout

Maximum wait in seconds.

default value: 3600

--updated

Wait until updated with provisioningState at 'Succeeded'.

default value: False

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.