Azure Firewalls - Packet Capture

Service:: Firewall

API Version:: 2024-05-01

Runs a packet capture on AzureFirewall.

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/azureFirewalls/{azureFirewallName}/packetCapture?api-version=2024-05-01

URI Parameters

Name	In	Required	Type	Description
azureFirewallName	path	True	string minLength: 1 maxLength: 56 pattern: ^[a-zA-Z0-9]	The name of the Azure Firewall.
resourceGroupName	path	True	string	The name of the resource group.
subscriptionId	path	True	string	The subscription credentials which uniquely identify the Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.
api-version	query	True	string	Client API version.

Request Body

Name	Type	Description
durationInSeconds	integer (int32) minimum: 30 maximum: 1800 exclusiveMinimum: False exclusiveMaximum: False	Duration of packet capture in seconds.
fileName	string	Name of file to be uploaded to sasURL
filters	AzureFirewallPacketCaptureRule[]	Rules to filter packet captures.
flags	AzureFirewallPacketCaptureFlags[]	The tcp-flag type to be captured. Used with protocol TCP
numberOfPacketsToCapture	integer (int32) minimum: 100 maximum: 90000 exclusiveMinimum: False exclusiveMaximum: False	Number of packets to be captured.
protocol	AzureFirewallNetworkRuleProtocol	The protocol of packets to capture
sasUrl	string	Upload capture location

Responses

Name

Type

Description

202 Accepted

Accepted and the operation will complete asynchronously.

Headers

Location: string

Other Status Codes

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

AzureFirewallPacketCapture

Sample request

POST https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azureFirewall1/packetCapture?api-version=2024-05-01

{
  "durationInSeconds": 300,
  "numberOfPacketsToCapture": 5000,
  "sasUrl": "someSASURL",
  "fileName": "azureFirewallPacketCapture",
  "protocol": "Any",
  "flags": [
    {
      "type": "syn"
    },
    {
      "type": "fin"
    }
  ],
  "filters": [
    {
      "sources": [
        "20.1.1.0"
      ],
      "destinations": [
        "20.1.2.0"
      ],
      "destinationPorts": [
        "4500"
      ]
    },
    {
      "sources": [
        "10.1.1.0",
        "10.1.1.1"
      ],
      "destinations": [
        "10.1.2.0"
      ],
      "destinationPorts": [
        "123",
        "80"
      ]
    }
  ]
}


import com.azure.resourcemanager.network.models.AzureFirewallNetworkRuleProtocol;
import com.azure.resourcemanager.network.models.AzureFirewallPacketCaptureFlags;
import com.azure.resourcemanager.network.models.AzureFirewallPacketCaptureFlagsType;
import com.azure.resourcemanager.network.models.AzureFirewallPacketCaptureRule;
import com.azure.resourcemanager.network.models.FirewallPacketCaptureParameters;
import java.util.Arrays;

/**
 * Samples for AzureFirewalls PacketCapture.
 */
public final class Main {
    /*
     * x-ms-original-file:
     * specification/network/resource-manager/Microsoft.Network/stable/2024-05-01/examples/AzureFirewallPacketCapture.
     * json
     */
    /**
     * Sample code: AzureFirewallPacketCapture.
     * 
     * @param azure The entry point for accessing resource management APIs in Azure.
     */
    public static void azureFirewallPacketCapture(com.azure.resourcemanager.AzureResourceManager azure) {
        azure.networks().manager().serviceClient().getAzureFirewalls().packetCapture("rg1", "azureFirewall1",
            new FirewallPacketCaptureParameters().withDurationInSeconds(300).withNumberOfPacketsToCapture(5000)
                .withSasUrl("someSASURL").withFileName("azureFirewallPacketCapture")
                .withProtocol(AzureFirewallNetworkRuleProtocol.ANY)
                .withFlags(Arrays.asList(
                    new AzureFirewallPacketCaptureFlags().withType(AzureFirewallPacketCaptureFlagsType.SYN),
                    new AzureFirewallPacketCaptureFlags().withType(AzureFirewallPacketCaptureFlagsType.FIN)))
                .withFilters(Arrays.asList(
                    new AzureFirewallPacketCaptureRule().withSources(Arrays.asList("20.1.1.0"))
                        .withDestinations(Arrays.asList("20.1.2.0")).withDestinationPorts(Arrays.asList("4500")),
                    new AzureFirewallPacketCaptureRule().withSources(Arrays.asList("10.1.1.0", "10.1.1.1"))
                        .withDestinations(Arrays.asList("10.1.2.0")).withDestinationPorts(Arrays.asList("123", "80")))),
            com.azure.core.util.Context.NONE);
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

from azure.identity import DefaultAzureCredential

from azure.mgmt.network import NetworkManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-network
# USAGE
    python azure_firewall_packet_capture.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = NetworkManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="subid",
    )

    client.azure_firewalls.begin_packet_capture(
        resource_group_name="rg1",
        azure_firewall_name="azureFirewall1",
        parameters={
            "durationInSeconds": 300,
            "fileName": "azureFirewallPacketCapture",
            "filters": [
                {"destinationPorts": ["4500"], "destinations": ["20.1.2.0"], "sources": ["20.1.1.0"]},
                {"destinationPorts": ["123", "80"], "destinations": ["10.1.2.0"], "sources": ["10.1.1.0", "10.1.1.1"]},
            ],
            "flags": [{"type": "syn"}, {"type": "fin"}],
            "numberOfPacketsToCapture": 5000,
            "protocol": "Any",
            "sasUrl": "someSASURL",
        },
    ).result()


# x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2024-05-01/examples/AzureFirewallPacketCapture.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armnetwork_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/ab04533261eff228f28e08900445d0edef3eb70c/specification/network/resource-manager/Microsoft.Network/stable/2024-05-01/examples/AzureFirewallPacketCapture.json
func ExampleAzureFirewallsClient_BeginPacketCapture() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armnetwork.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	poller, err := clientFactory.NewAzureFirewallsClient().BeginPacketCapture(ctx, "rg1", "azureFirewall1", armnetwork.FirewallPacketCaptureParameters{
		DurationInSeconds: to.Ptr[int32](300),
		FileName:          to.Ptr("azureFirewallPacketCapture"),
		Filters: []*armnetwork.AzureFirewallPacketCaptureRule{
			{
				DestinationPorts: []*string{
					to.Ptr("4500")},
				Destinations: []*string{
					to.Ptr("20.1.2.0")},
				Sources: []*string{
					to.Ptr("20.1.1.0")},
			},
			{
				DestinationPorts: []*string{
					to.Ptr("123"),
					to.Ptr("80")},
				Destinations: []*string{
					to.Ptr("10.1.2.0")},
				Sources: []*string{
					to.Ptr("10.1.1.0"),
					to.Ptr("10.1.1.1")},
			}},
		Flags: []*armnetwork.AzureFirewallPacketCaptureFlags{
			{
				Type: to.Ptr(armnetwork.AzureFirewallPacketCaptureFlagsTypeSyn),
			},
			{
				Type: to.Ptr(armnetwork.AzureFirewallPacketCaptureFlagsTypeFin),
			}},
		NumberOfPacketsToCapture: to.Ptr[int32](5000),
		SasURL:                   to.Ptr("someSASURL"),
		Protocol:                 to.Ptr(armnetwork.AzureFirewallNetworkRuleProtocolAny),
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	_, err = poller.PollUntilDone(ctx, nil)
	if err != nil {
		log.Fatalf("failed to pull the result: %v", err)
	}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { NetworkManagementClient } = require("@azure/arm-network");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Runs a packet capture on AzureFirewall.
 *
 * @summary Runs a packet capture on AzureFirewall.
 * x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2024-05-01/examples/AzureFirewallPacketCapture.json
 */
async function azureFirewallPacketCapture() {
  const subscriptionId = process.env["NETWORK_SUBSCRIPTION_ID"] || "subid";
  const resourceGroupName = process.env["NETWORK_RESOURCE_GROUP"] || "rg1";
  const azureFirewallName = "azureFirewall1";
  const parameters = {
    durationInSeconds: 300,
    fileName: "azureFirewallPacketCapture",
    filters: [
      {
        destinationPorts: ["4500"],
        destinations: ["20.1.2.0"],
        sources: ["20.1.1.0"],
      },
      {
        destinationPorts: ["123", "80"],
        destinations: ["10.1.2.0"],
        sources: ["10.1.1.0", "10.1.1.1"],
      },
    ],
    flags: [{ type: "syn" }, { type: "fin" }],
    numberOfPacketsToCapture: 5000,
    sasUrl: "someSASURL",
    protocol: "Any",
  };
  const credential = new DefaultAzureCredential();
  const client = new NetworkManagementClient(credential, subscriptionId);
  const result = await client.azureFirewalls.beginPacketCaptureAndWait(
    resourceGroupName,
    azureFirewallName,
    parameters,
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

using Azure;
using Azure.ResourceManager;
using System;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager.Network.Models;
using Azure.ResourceManager.Network;

// Generated from example definition: specification/network/resource-manager/Microsoft.Network/stable/2024-05-01/examples/AzureFirewallPacketCapture.json
// this example is just showing the usage of "AzureFirewalls_PacketCapture" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this AzureFirewallResource created on azure
// for more information of creating AzureFirewallResource, please refer to the document of AzureFirewallResource
string subscriptionId = "subid";
string resourceGroupName = "rg1";
string azureFirewallName = "azureFirewall1";
ResourceIdentifier azureFirewallResourceId = AzureFirewallResource.CreateResourceIdentifier(subscriptionId, resourceGroupName, azureFirewallName);
AzureFirewallResource azureFirewall = client.GetAzureFirewallResource(azureFirewallResourceId);

// invoke the operation
FirewallPacketCaptureRequestContent content = new FirewallPacketCaptureRequestContent
{
    DurationInSeconds = 300,
    NumberOfPacketsToCapture = 5000,
    SasUri = new Uri("someSASURL"),
    FileName = "azureFirewallPacketCapture",
    Protocol = AzureFirewallNetworkRuleProtocol.Any,
    Flags = {new AzureFirewallPacketCaptureFlags
    {
    FlagsType = AzureFirewallPacketCaptureFlagsType.Syn,
    }, new AzureFirewallPacketCaptureFlags
    {
    FlagsType = AzureFirewallPacketCaptureFlagsType.Fin,
    }},
    Filters = {new AzureFirewallPacketCaptureRule
    {
    Sources = {"20.1.1.0"},
    Destinations = {"20.1.2.0"},
    DestinationPorts = {"4500"},
    }, new AzureFirewallPacketCaptureRule
    {
    Sources = {"10.1.1.0", "10.1.1.1"},
    Destinations = {"10.1.2.0"},
    DestinationPorts = {"123", "80"},
    }},
};
await azureFirewall.PacketCaptureAsync(WaitUntil.Completed, content);

Console.WriteLine("Succeeded");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:: 202

Location: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/locations/eastus/operationResults/00000000-0000-0000-0000-000000000000?api-version=2024-05-01
Azure-AsyncOperation: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/locations/eastus/operations/00000000-0000-0000-0000-000000000000?api-version=2024-05-01

Definitions

Name	Description
AzureFirewallNetworkRuleProtocol	The protocol of a Network Rule resource.
AzureFirewallPacketCaptureFlags	Properties of the AzureFirewallRCAction.
AzureFirewallPacketCaptureFlagsType	The flags type to be captured.
AzureFirewallPacketCaptureRule	Group of src/dest ips and ports to be captured.
CloudError	An error response from the service.
CloudErrorBody	An error response from the service.
FirewallPacketCaptureParameters	Azure Firewall Packet Capture Parameters.

AzureFirewallNetworkRuleProtocol

Enumeration

The protocol of a Network Rule resource.

Value	Description
TCP
UDP
Any
ICMP

AzureFirewallPacketCaptureFlags

Object

Properties of the AzureFirewallRCAction.

Name	Type	Description
type	AzureFirewallPacketCaptureFlagsType	Flags to capture

AzureFirewallPacketCaptureFlagsType

Enumeration

The flags type to be captured.

Value	Description
fin
syn
rst
push
ack
urg

AzureFirewallPacketCaptureRule

Object

Group of src/dest ips and ports to be captured.

Name	Type	Description
destinationPorts	string[]	List of ports to be captured.
destinations	string[]	List of destination IP addresses/subnets to be captured.
sources	string[]	List of source IP addresses/subnets to be captured.

CloudError

Object

An error response from the service.

Name	Type	Description
error	CloudErrorBody	Cloud error body.

CloudErrorBody

Object

An error response from the service.

Name	Type	Description
code	string	An identifier for the error. Codes are invariant and are intended to be consumed programmatically.
details	CloudErrorBody[]	A list of additional details about the error.
message	string	A message describing the error, intended to be suitable for display in a user interface.
target	string	The target of the particular error. For example, the name of the property in error.

FirewallPacketCaptureParameters

Object

Azure Firewall Packet Capture Parameters.

Name	Type	Description
durationInSeconds	integer (int32) minimum: 30 maximum: 1800 exclusiveMinimum: False exclusiveMaximum: False	Duration of packet capture in seconds.
fileName	string	Name of file to be uploaded to sasURL
filters	AzureFirewallPacketCaptureRule[]	Rules to filter packet captures.
flags	AzureFirewallPacketCaptureFlags[]	The tcp-flag type to be captured. Used with protocol TCP
numberOfPacketsToCapture	integer (int32) minimum: 100 maximum: 90000 exclusiveMinimum: False exclusiveMaximum: False	Number of packets to be captured.
protocol	AzureFirewallNetworkRuleProtocol	The protocol of packets to capture
sasUrl	string	Upload capture location