你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
Set-AzFirewall
Saves a modified Firewall.
Syntax
Set-AzFirewall
-AzureFirewall <PSAzureFirewall>
[-AsJob]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
The Set-AzFirewall cmdlet updates an Azure Firewall.
Examples
Example 1: Update priority of a Firewall application rule collection
$azFw = Get-AzFirewall -Name "AzureFirewall" -ResourceGroupName "rg"
$ruleCollection = $azFw.GetApplicationRuleCollectionByName("ruleCollectionName")
$ruleCollection.Priority = 101
Set-AzFirewall -AzureFirewall $azFw
This example updates the priority of an existing rule collection of an Azure Firewall. Assuming Azure Firewall "AzureFirewall" in resource group "rg" contains an application rule collection named "ruleCollectionName", the commands above will change the priority of that rule collection and update the Azure Firewall afterwards. Without the Set-AzFirewall command, all operations performed on the local $azFw object are not reflected on the server.
Example 2: Create a Azure Firewall and set an application rule collection later
$azFw = New-AzFirewall -Name "AzureFirewall" -ResourceGroupName "rg" -VirtualNetworkName "vnet-name" -PublicIpName "pip-name"
$rule = New-AzFirewallApplicationRule -Name R1 -Protocol "http:80","https:443" -TargetFqdn "*google.com", "*microsoft.com" -SourceAddress "10.0.0.0"
$RuleCollection = New-AzFirewallApplicationRuleCollection -Name RC1 -Priority 100 -Rule $rule -ActionType "Allow"
$azFw.ApplicationRuleCollections = $RuleCollection
$azFw | Set-AzFirewall
In this example, a Firewall is created first without any application rule collections. Afterwards a Application Rule and Application Rule Collection are created, then the Firewall object is modified in memory, without affecting the real configuration in cloud. For changes to be reflected in cloud, Set-AzFirewall must be called.
Example 3: Update Threat Intel operation mode of Azure Firewall
$azFw = Get-AzFirewall -Name "AzureFirewall" -ResourceGroupName "rg"
$azFw.ThreatIntelMode = "Deny"
Set-AzFirewall -AzureFirewall $azFw
This example updates the Threat Intel operation mode of Azure Firewall "AzureFirewall" in resource group "rg". Without the Set-AzFirewall command, all operations performed on the local $azFw object are not reflected on the server.
Example 4: Deallocate and allocate the Firewall
$firewall=Get-AzFirewall -ResourceGroupName rgName -Name azFw
$firewall.Deallocate()
$firewall | Set-AzFirewall
$vnet = Get-AzVirtualNetwork -ResourceGroupName rgName -Name anotherVNetName
$pip = Get-AzPublicIpAddress -ResourceGroupName rgName -Name publicIpName
$firewall.Allocate($vnet, $pip)
$firewall | Set-AzFirewall
This example retrieves a Firewall, deallocates the firewall, and saves it. The Deallocate command removes the running service but preserves the firewall's configuration. For changes to be reflected in cloud, Set-AzFirewall must be called. If user wants to start the service again, the Allocate method should be called on the firewall. The new VNet and Public IP must be in the same resource group as the Firewall. Again, for changes to be reflected in cloud, Set-AzFirewall must be called.
Example 5: Allocate with a management public IP address for forced tunneling scenarios
$vnet = Get-AzVirtualNetwork -ResourceGroupName rgName -Name anotherVNetName
$pip = Get-AzPublicIpAddress -ResourceGroupName rgName -Name publicIpName
$mgmtPip = Get-AzPublicIpAddress -ResourceGroupName rgName -Name MgmtPublicIpName
$firewall.Allocate($vnet, $pip, $mgmtPip)
$firewall | Set-AzFirewall
This example allocates the firewall with a management public IP address and subnet for forced tunneling scenarios. The VNet must contain a subnet called "AzureFirewallManagementSubnet".
Example 6: Add a Public IP address to an Azure Firewall
$pip = New-AzPublicIpAddress -Name "azFwPublicIp1" -ResourceGroupName "rg" -Sku "Standard" -Location "centralus" -AllocationMethod Static
$azFw = Get-AzFirewall -Name "AzureFirewall" -ResourceGroupName "rg"
$azFw.AddPublicIpAddress($pip)
$azFw | Set-AzFirewall
In this example, the Public IP Address "azFwPublicIp1" as attached to the Firewall.
Example 7: Remove a Public IP address from an Azure Firewall
$pip = Get-AzPublicIpAddress -Name "azFwPublicIp1" -ResourceGroupName "rg"
$azFw = Get-AzFirewall -Name "AzureFirewall" -ResourceGroupName "rg"
$azFw.RemovePublicIpAddress($pip)
$azFw | Set-AzFirewall
In this example, the Public IP Address "azFwPublicIp1" as detached from the Firewall.
Example 8: Change the management public IP address on an Azure Firewall
$newMgmtPip = New-AzPublicIpAddress -Name "azFwMgmtPublicIp2" -ResourceGroupName "rg" -Sku "Standard" -Location "centralus" -AllocationMethod Static
$azFw = Get-AzFirewall -Name "AzureFirewall" -ResourceGroupName "rg"
$azFw.ManagementIpConfiguration.PublicIpAddress = $newMgmtPip
$azFw | Set-AzFirewall
In this example, the management public IP address of the firewall will be changed to "AzFwMgmtPublicIp2"
Example 9: Add DNS configuration to an Azure Firewall
$dnsServers = @("10.10.10.1", "20.20.20.2")
$azFw = Get-AzFirewall -Name "AzureFirewall" -ResourceGroupName "rg"
$azFw.DNSEnableProxy = $true
$azFw.DNSServer = $dnsServers
$azFw | Set-AzFirewall
In this example, DNS Proxy and DNS Server configuration is attached to the Firewall.
Example 10: Update destination of an existing rule within a Firewall application rule collection
$azFw = Get-AzFirewall -Name "AzureFirewall" -ResourceGroupName "rg"
$ruleCollection = $azFw.GetNetworkRuleCollectionByName("ruleCollectionName")
$rule=$ruleCollection.GetRuleByName("ruleName")
$rule.DestinationAddresses = "10.10.10.10"
Set-AzFirewall -AzureFirewall $azFw
This example updates the destination of an existing rule within a rule collection of an Azure Firewall. This allows you to automatically update your rules when IP addresses change dynamically.
Example 11: Allow Active FTP on Azure Firewall
$azFw = Get-AzFirewall -Name "AzureFirewall" -ResourceGroupName "rg"
$azFw.AllowActiveFTP = $true
$azFw | Set-AzFirewall
In this example, Active FTP is allowed on the Firewall.
Example 12: Deallocate and allocate the Firewall from a Virtual Hub
$firewall=Get-AzFirewall -ResourceGroupName rgName -Name azFw
$firewall.Deallocate()
$firewall | Set-AzFirewall
$Hub = Get-AzVirtualHub -ResourceGroupName "testRG" -Name "westushub"
$firewall.Allocate($Hub.Id)
$firewall | Set-AzFirewall
This example retrieves a Hub Firewall, deallocates the hub firewall, and saves it. The Deallocate command removes the reference to the virtual hub but preserves the firewall's configuration. For changes to be reflected in cloud, Set-AzFirewall must be called. The Allocate method assigns the virtual hub reference to the firewall. Again, for changes to be reflected in cloud, Set-AzFirewall must be called.
Example 13: Enable Fat Flow Logging on Azure Firewall
$azFw = Get-AzFirewall -Name "ps184" -ResourceGroupName "ps774"
$azFw.EnableFatFlowLogging = $true
$azFw | Set-AzFirewall
AllowActiveFTP : null
ApplicationRuleCollections : Count = 0
ApplicationRuleCollectionsText : "[]"
DNSEnableProxy : null
DNSServer : null
DNSServersText : "null"
Etag : "W/\"7533fa1b-8588-400d-857c-6bc372e14f1b\""
FirewallPolicy : null
HubIPAddresses : null
Id : "/subscriptions/aeb5b02a-0f18-45a4-86d6-81808115cacf/resourceGroups/ps774/providers/Microsoft.Network/azureFirewalls/ps184"
EnableFatFlowLogging : "true"
IpConfigurations : Count = 0
IpConfigurationsText : "[]"
Location : "eastus"
ManagementIpConfiguration : null
ManagementIpConfigurationText : "null"
Name : "ps184"
NatRuleCollections : Count = 0
NatRuleCollectionsText : "[]"
NetworkRuleCollections : Count = 0
NetworkRuleCollectionsText : "[]"
PrivateRange : null
PrivateRangeText : "null"
ProvisioningState : "Succeeded"
ResourceGroupName : "ps774"
ResourceGuid : null
Sku : {Microsoft.Azure.Commands.Network.Models.PSAzureFirewallSku}
Tag : null
TagsTable : null
ThreatIntelMode : "Alert"
ThreatIntelWhitelist : {Microsoft.Azure.Commands.Network.Models.PSAzureFirewallThreatIntelWhitelist}
ThreatIntelWhitelistText : "{\r
\"FQDNs\": null,\r
\"IpAddresses\": null\r\n}"
Type : "Microsoft.Network/azureFirewalls"
VirtualHub : null
Zones : Count = 0
privateRange : null
In this example, Enable Fat Flow Logging is enabled on the Firewall.
Example 14: Upgrade Azure Firewall Standard to Premium
$azfw = Get-AzFirewall -Name "AzureFirewall" -ResourceGroupName "rg"
$azfw.Sku.Tier="Premium"
Set-AzFirewall -AzureFirewall $azfw
This example upgrades your existing Azure Firewall Standard to Premium Firewall. Upgrade process may take several minutes and does not require service down time. After upgrade is completed successfully you may replace your exiting standard policy with premium.
Example 15: Deallocate and allocate the Firewall with Availability Zones
$firewall=Get-AzFirewall -ResourceGroupName rgName -Name azFw
$firewall.Deallocate()
$firewall | Set-AzFirewall
$vnet = Get-AzVirtualNetwork -ResourceGroupName rgName -Name anotherVNetName
$pip = Get-AzPublicIpAddress -ResourceGroupName rgName -Name publicIpName
$firewall.Zones = "1","2","3"
$firewall.Allocate($vnet, $pip)
$firewall | Set-AzFirewall
This example retrieves a Firewall, deallocates the firewall, and saves it. The Deallocate command removes the running service but preserves the firewall's configuration. For changes to be reflected in cloud, Set-AzFirewall must be called. If user wants to start the service again but with Availability Zones, the Zones method needs to be called defining the desired Availability Zones in quotes and separated by comma. In case Availability Zones needs to be removed, the $null parameter needs to be introduced instead. Finally, the Allocate method should be called on the firewall. The new VNet and Public IP must be in the same resource group as the Firewall. Again, for changes to be reflected in cloud, Set-AzFirewall must be called.
Parameters
-AsJob
Run cmdlet in the background
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AzureFirewall
The AzureFirewall
Type: | PSAzureFirewall |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with azure.
Type: | IAzureContextContainer |
Aliases: | AzContext, AzureRmContext, AzureCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |