New-AzFirewallPolicy
Creates a new Azure Firewall Policy
Syntax
Default (Default)
New-AzFirewallPolicy
-Name <String>
-ResourceGroupName <String>
-Location <String>
[-ThreatIntelMode <String>]
[-ThreatIntelWhitelist <PSAzureFirewallPolicyThreatIntelWhitelist>]
[-BasePolicy <String>]
[-DnsSetting <PSAzureFirewallPolicyDnsSettings>]
[-SqlSetting <PSAzureFirewallPolicySqlSetting>]
[-Tag <Hashtable>]
[-Force]
[-AsJob]
[-IntrusionDetection <PSAzureFirewallPolicyIntrusionDetection>]
[-TransportSecurityName <String>]
[-TransportSecurityKeyVaultSecretId <String>]
[-SkuTier <String>]
[-UserAssignedIdentityId <String>]
[-Identity <PSManagedServiceIdentity>]
[-PrivateRange <String[]>]
[-ExplicitProxy <PSAzureFirewallPolicyExplicitProxy>]
[-Snat <PSAzureFirewallPolicySNAT>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
The New-AzFirewallPolicy cmdlet creates an Azure Firewall Policy.
Examples
Example 1: Create an empty policy
New-AzFirewallPolicy -Name fp1 -ResourceGroupName TestRg
This example creates an azure firewall policy
Example 2: Create an empty policy with ThreatIntel Mode
New-AzFirewallPolicy -Name fp1 -ResourceGroupName TestRg -ThreatIntelMode "Deny"
This example creates an azure firewall policy with a threat intel mode
Example 3: Create an empty policy with ThreatIntelWhitelist
$threatIntelWhitelist = New-AzFirewallPolicyThreatIntelWhitelist -IpAddress 23.46.72.91,192.79.236.79 -FQDN microsoft.com
New-AzFirewallPolicy -Name fp1 -ResourceGroupName TestRg -ThreatIntelWhitelist $threatIntelWhitelist
This example creates an azure firewall policy with a threat intel allowlist
Example 4: Create policy with intrusion detection, identity and transport security
$bypass = New-AzFirewallPolicyIntrusionDetectionBypassTraffic -Name "bypass-setting" -Protocol "TCP" -DestinationPort "80" -SourceAddress "10.0.0.0" -DestinationAddress "*"
$signatureOverride = New-AzFirewallPolicyIntrusionDetectionSignatureOverride -Id "123456798" -Mode "Deny"
$intrusionDetection = New-AzFirewallPolicyIntrusionDetection -Mode "Alert" -SignatureOverride $signatureOverride -BypassTraffic $bypass
$userAssignedIdentity = '/subscriptions/9e223dbe-3399-4e19-88eb-0975f02ac87f/resourcegroups/TestRg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/user-assign-identity'
New-AzFirewallPolicy -Name fp1 -Location "westus2" -ResourceGroupName TestRg -SkuTier "Premium" -IntrusionDetection $intrusionDetection -TransportSecurityName tsName -TransportSecurityKeyVaultSecretId "https://<keyvaultname>.vault.azure.net/secrets/cacert" -UserAssignedIdentityId $userAssignedIdentity
This example creates an azure firewall policy with a intrusion detection in mode alert, user assigned identity and transport security
Example 5: Create an empty Firewall Policy with customized private range setup
New-AzFirewallPolicy -Name fp1 -ResourceGroupName TestRg -PrivateRange @("99.99.99.0/24", "66.66.0.0/16")
This example creates a Firewall that treats "99.99.99.0/24" and "66.66.0.0/16" as private ip ranges and won't snat traffic to those addresses
Example 6: Create an empty Firewall Policy with Explicit Proxy Settings
$exProxy = New-AzFirewallPolicyExplicitProxy -EnableExplicitProxy -HttpPort 100 -HttpsPort 101 -EnablePacFile -PacFilePort 130 -PacFile "sampleurlfortesting.blob.core.windowsnet/nothing"
New-AzFirewallPolicy -Name fp1 -ResourceGroupName TestRg -ExplicitProxy $exProxy
BasePolicy : null
DnsSettings : null
Etag : null
ExplicitProxy
EnableExplicitProxy : true
EnablePacFile : true
HttpPort : 100
HttpsPort : 101
PacFile : "sampleurlfortesting.blob.core.windowsnet/nothing"
PacFilePort : 130
Id : null
Identity : null
IntrusionDetection : null
Location : "westus2"
Name : "fp1"
PrivateRange : null
PrivateRangeText : "[]"
ProvisioningState : null
ResourceGroupName : "TestRg"
ResourceGuid : null
RuleCollectionGroups : null
Sku
Tier : "Standard"
Snat
AutoLearnPrivateRanges : null
PrivateRanges : null
SqlSetting : null
Tag : null
TagsTable : null
ThreatIntelMode : "Alert"
ThreatIntelWhitelist : null
TransportSecurity : null
Type : null
This example creates a firewall policy with explicit proxy settings
Parameters
-AsJob
Run cmdlet in the background
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-BasePolicy
The base policy to inherit from
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False Aliases: cf
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
Parameter properties
Type: IAzureContextContainer
Default value: None Supports wildcards: False DontShow: False Aliases: AzContext, AzureRmContext, AzureCredential
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-DnsSetting
The DNS Setting
Parameter properties
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ExplicitProxy
The Explicit Proxy Settings
Parameter properties
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Force
Do not ask for confirmation if you want to overwrite a resource
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Identity
Firewall Policy Identity to be assigned to Firewall Policy.
Parameter properties
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-IntrusionDetection
The Intrusion Detection Setting
Parameter properties
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Location
location.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-Name
The resource name.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: ResourceName
Parameter sets
(All)
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-PrivateRange
The private IP ranges to which traffic won't be SNAT'ed
Parameter properties
Type: String [ ]
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ResourceGroupName
The resource group name.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-SkuTier
Firewall policy sku tier
Parameter properties
Type: String
Default value: None Accepted values: Standard, Premium, Basic Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Snat
The private IP addresses/IP ranges to which traffic will not be SNAT in Firewall Policy.
Parameter properties
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-SqlSetting
The SQL related setting
Parameter properties
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Tag
A hashtable which represents resource tags.
Parameter properties
Type: Hashtable
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ThreatIntelMode
The operation mode for Threat Intelligence.
Parameter properties
Type: String
Default value: None Accepted values: Alert, Deny, Off Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ThreatIntelWhitelist
The allowlist for Threat Intelligence
Parameter properties
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-TransportSecurityKeyVaultSecretId
Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-TransportSecurityName
Transport security name
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-UserAssignedIdentityId
ResourceId of the user assigned identity to be assigned to Firewall Policy.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: UserAssignedIdentity
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False Aliases: wi
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters .
Outputs
