Azure Firewall-configuraties migreren naar Azure Firewall-beleid met behulp van PowerShell
U kunt een Azure PowerShell-script gebruiken om bestaande Azure Firewall-configuraties te migreren naar een Azure Firewall-beleidsresource. U kunt vervolgens Azure Firewall Manager gebruiken om het beleid te implementeren.
Het AZFWMigrationScript.ps1 script maakt een FirewallPolicy met drie RuleCollectionGroup-objecten voor respectievelijk ApplicationRuleCollections, NetworkRuleCollections en NatRuleCollections.
Een RuleCollectionGroup is een nieuwe groep op het hoogste niveau voor regelverzamelingen voor toekomstige uitbreidbaarheid. Het gebruik van de bovenstaande standaardwaarden wordt aanbevolen en wordt automatisch uitgevoerd vanuit de portal.
Het begin van het script definieert de naam en resourcegroep van de bronfirewall en de naam en locatie van het doelbeleid. Wijzig deze waarden voor uw organisatie.
Migratiescript
Wijzig het volgende script om uw firewallconfiguratie te migreren.
#Input params to be modified as needed
$FirewallResourceGroup = "AzFWMigrateRG"
$FirewallName = "azfw"
$FirewallPolicyResourceGroup = "AzFWPolicyRG"
$FirewallPolicyName = "fwpolicy"
$FirewallPolicyLocation = "WestEurope"
@@ -43,141 +44,186 @@ $InvalidCharsPattern = "[']"
#Helper functions for translating ApplicationProtocol and ApplicationRule
Function GetApplicationProtocolsString
{
Param([Object[]] $Protocols)
$output = ""
ForEach ($protocol in $Protocols)
{
$output += $protocol.ProtocolType + ":" + $protocol.Port + ","
}
return $output.Substring(0, $output.Length - 1)
}
Function GetApplicationRuleCmd
{
Param([Object] $ApplicationRule)
$cmd = "New-AzFirewallPolicyApplicationRule"
$parsedName = ParseRuleName($ApplicationRule.Name)
$cmd = $cmd + " -Name " + "'" + $parsedName + "'"
if ($ApplicationRule.SourceAddresses)
{
$ApplicationRule.SourceAddresses = $ApplicationRule.SourceAddresses -join ","
$cmd = $cmd + " -SourceAddress " + $ApplicationRule.SourceAddresses
}
elseif ($ApplicationRule.SourceIpGroups)
{
$ApplicationRule.SourceIpGroups = $ApplicationRule.SourceIpGroups -join ","
$cmd = $cmd + " -SourceIpGroup " + $ApplicationRule.SourceIpGroups
}
if ($ApplicationRule.Description)
{
$cmd = $cmd + " -Description " + "'" + $ApplicationRule.Description + "'"
}
if ($ApplicationRule.TargetFqdns)
{
$protocols = GetApplicationProtocolsString($ApplicationRule.Protocols)
$cmd = $cmd + " -Protocol " + $protocols
$AppRule = $($ApplicationRule.TargetFqdns) -join ","
$cmd = $cmd + " -TargetFqdn " + $AppRule
}
if ($ApplicationRule.FqdnTags)
{
$cmd = $cmd + " -FqdnTag " + "'" + $ApplicationRule.FqdnTags + "'"
}
return $cmd
}
Function ParseRuleName
{
Param([Object] $RuleName)
if ($RuleName -match $InvalidCharsPattern) {
$newRuleName = $RuleName -split $InvalidCharsPattern -join ""
Write-Host "Rule $RuleName contains an invalid character. Invalid characters have been removed, rule new name is $newRuleName. " -ForegroundColor Cyan
return $newRuleName
}
return $RuleName
}
If (!(Get-AzResourceGroup -Name $FirewallPolicyResourceGroup))
{
New-AzResourceGroup -Name $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation
}
$azfw = Get-AzFirewall -Name $FirewallName -ResourceGroupName $FirewallResourceGroup
Write-Host "creating empty firewall policy"
if ($azfw.DNSEnableProxy) {
$fwDnsSetting = New-AzFirewallPolicyDnsSetting -EnableProxy
$fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode -DnsSetting $fwDnsSetting -Force
}
else {
$fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode
}
Write-Host $fwp.Name "created"
Write-Host "creating " $azfw.ApplicationRuleCollections.Count " application rule collections"
#Translate ApplicationRuleCollection
If ($azfw.ApplicationRuleCollections.Count -gt 0)
{
$firewallPolicyAppRuleCollections = @()
ForEach ($appRc in $azfw.ApplicationRuleCollections)
{
If ($appRc.Rules.Count -gt 0)
{
Write-Host "creating " $appRc.Rules.Count " application rules for collection " $appRc.Name
$firewallPolicyAppRules = @()
ForEach ($appRule in $appRc.Rules)
{
$cmd = GetApplicationRuleCmd($appRule)
$firewallPolicyAppRule = Invoke-Expression $cmd
Write-Host "Created appRule " $firewallPolicyAppRule.Name
$firewallPolicyAppRules += $firewallPolicyAppRule
}
$fwpAppRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $appRC.Name -Priority $appRC.Priority -ActionType $appRC.Action.Type -Rule $firewallPolicyAppRules
Write-Host "Created appRuleCollection " $fwpAppRuleCollection.Name
}
$firewallPolicyAppRuleCollections += $fwpAppRuleCollection
}
$appRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultAppRuleCollectionGroupName -Priority $ApplicationRuleGroupPriority -RuleCollection $firewallPolicyAppRuleCollections -FirewallPolicyObject $fwp
Write-Host "Created ApplicationRuleCollectionGroup " $appRuleGroup.Name
}
#Translate NetworkRuleCollection
Write-Host "creating " $azfw.NetworkRuleCollections.Count " network rule collections"
If ($azfw.NetworkRuleCollections.Count -gt 0)
{
$firewallPolicyNetRuleCollections = @()
ForEach ($rc in $azfw.NetworkRuleCollections)
{
If ($rc.Rules.Count -gt 0)
{
Write-Host "creating " $rc.Rules.Count " network rules for collection " $rc.Name
$firewallPolicyNetRules = @()
ForEach ($rule in $rc.Rules)
{
$parsedName = ParseRuleName($rule.Name)
If ($rule.SourceAddresses)
{
If ($rule.DestinationAddresses)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
elseif ($rule.DestinationIpGroups)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
elseif ($rule.DestinationFqdns)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceAddress $rule.SourceAddresses -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
}
elseif ($rule.SourceIpGroups)
{
If ($rule.DestinationAddresses)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
elseif ($rule.DestinationIpGroups)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
elseif ($rule.DestinationFqdns)
{
$firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
}
Write-Host "Created network rule " $firewallPolicyNetRule.Name
$firewallPolicyNetRules += $firewallPolicyNetRule
}
$fwpNetRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $rc.Name -Priority $rc.Priority -ActionType $rc.Action.Type -Rule $firewallPolicyNetRules
Write-Host "Created NetworkRuleCollection " $fwpNetRuleCollection.Name
}
$firewallPolicyNetRuleCollections += $fwpNetRuleCollection
}
$netRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNetRuleCollectionGroupName -Priority $NetworkRuleGroupPriority -RuleCollection $firewallPolicyNetRuleCollections -FirewallPolicyObject $fwp
Write-Host "Created NetworkRuleCollectionGroup " $netRuleGroup.Name
}
#Translate NatRuleCollection
# Hierarchy for NAT rule collection is different for AZFW and FirewallPolicy. In AZFW you can have a NatRuleCollection with multiple NatRules
# where each NatRule will have its own set of source , dest, translated IPs and ports.
# In FirewallPolicy a NatRuleCollection has a set of rules which has one condition (source and dest IPs and Ports) and the translated IP and ports
# as part of NatRuleCollection.
# So when translating NAT rules we will have to create separate ruleCollection for each rule in AZFW and every ruleCollection will have only 1 rule.
Write-Host "creating " $azfw.NatRuleCollections.Count " NAT rule collections"
If ($azfw.NatRuleCollections.Count -gt 0)
{
$firewallPolicyNatRuleCollections = @()
$priority = 100
ForEach ($rc in $azfw.NatRuleCollections)
{
$firewallPolicyNatRules = @()
If ($rc.Rules.Count -gt 0)
{
Write-Host "creating " $rc.Rules.Count " nat rules for collection " $rc.Name
ForEach ($rule in $rc.Rules)
{
$parsedName = ParseRuleName($rule.Name)
If ($rule.SourceAddresses)
@@ -188,18 +234,19 @@ If ($azfw.NatRuleCollections.Count -gt 0) {
{
$firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
}
Write-Host "Created NAT rule: " $firewallPolicyNatRule.Name
$firewallPolicyNatRules += $firewallPolicyNatRule
}
$natRuleCollectionName = $rc.Name
$fwpNatRuleCollection = New-AzFirewallPolicyNatRuleCollection -Name $natRuleCollectionName -Priority $priority -ActionType $rc.Action.Type -Rule $firewallPolicyNatRules
$priority += 1
Write-Host "Created NAT RuleCollection " $fwpNatRuleCollection.Name
$firewallPolicyNatRuleCollections += $fwpNatRuleCollection
}
}
$natRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNatRuleCollectionGroupName -Priority $NatRuleGroupPriority -RuleCollection $firewallPolicyNatRuleCollections -FirewallPolicyObject $fwp
Write-Host "Created NAT RuleCollectionGroup " $natRuleGroup.Name
}
Volgende stappen
Meer informatie over Azure Firewall Manager-implementatie: overzicht van Azure Firewall Manager-implementatie.