How to get all firewall rules with all the properties via Azures Resource Graph?

Dominika Starostka 20 Reputation points
2023-03-22T12:59:31.23+00:00

Hi, I need help with proper formulation of a query that would give me all firewall rules with all properties so it can be saved as a CSV file. All rules from a particular directory.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
709 questions
{count} votes

Accepted answer
  1. ChaitanyaNaykodi-MSFT 26,956 Reputation points Microsoft Employee
    2023-03-23T07:11:48.2633333+00:00

    @Dominika Starostka

    Thank you for reaching out on the Microsoft Q&A forum.

    If I understand correctly, you are looking for Azures Resource Graph query to fetch all Azure firewall rules with their properties so that you can save it in a csv format. Please correct me if my understanding is incorrect.

    It is currently not possible to fetch all Azure firewall rules with their properties using Azures Resource Graph explorer. It will be helpful if you could file a feedback item for this request on our feedback portal.

    The workaround in this case will be to use PowerShell command Get-AzFirewallPolicyRuleCollectionGroup

    to fetch the rules under a rule collection group of Azure Firewall Policy and save them to a csv file.

    You can refer to the sample script I created below.

    Please add values to below variables in the script as per your environment:

    • subscription_id
    • $rg = your resource_group name
    • $policyname = your firewall_policy_name
    • Enter_your_path (any path in your local system to save the csv file)

    This script will create three csv files for NetworkRules, ApplicationRules and DnatRules.

    Connect-AzAccount
    Set-AzContext -Subscription "<subscription_id>"
    $rg = "<resource_group>"
    $policyname = "<firewall_policy_name>"
    $colgroups = Get-AzFirewallPolicy -Name $policyname -ResourceGroupName $rg
    foreach ($colgroup in $colgroups.RuleCollectionGroups)
    {
        $c = Out-String -InputObject $colgroup -Width 500
        $collist= $c -split "/"
        $colname = ($collist[-1]).Trim()
    
        $rulecolgroup = Get-AzFirewallPolicyRuleCollectionGroup -Name $colname -ResourceGroupName $rg -AzureFirewallPolicyName $policyname
    
        if ($rulecolgroup.properties.RuleCollection.rules.RuleType -contains "NetworkRule")
        {
            $rulecolgroup.properties.RuleCollection.rules|Select-Object Name,RuleType,@{n="SourceAddresses";e={$_.SourceAddresses -join ","}},@{n="protocols";e={$_.protocols -join ","}},@{n="DestinationAddresses";e={$_.DestinationAddresses -join ","}},@{n="SourceIpGroups";e={$_.SourceIpGroups -join ","}},@{n="DestinationIpGroups";e={$_.DestinationIpGroups -join ","}},@{n="DestinationPorts";e={$_.DestinationPorts -join ","}},@{n="DestinationFqdns";e={$_.DestinationFqdns -join ","}}|Export-Csv -Path "C:\Users\<Enter_your_path>\NetworkRules.csv" -Append -NoTypeInformation -Force
    
        }
        if ($rulecolgroup.properties.RuleCollection.rules.RuleType -contains "ApplicationRule")
        {
            $rulecolgroup.properties.RuleCollection.rules|Select-Object Name,RuleType,TerminateTLS,@{n="SourceAddresses";e={$_.SourceAddresses -join ","}},@{n="TargetFqdns";e={$_.TargetFqdns -join ","}},@{n="Protocols";e={$_.Protocols -join ","}},@{n="SourceIpGroups";e={$_.SourceIpGroups -join ","}},@{n="WebCategories";e={$_.WebCategories -join ","}},@{n="TargetUrls";e={$_.TargetUrls -join ","}}|Export-Csv -Path "C:\Users\<Enter_your_path>\ApplicationRules.csv" -Append -NoTypeInformation -Force
    
        }
        if ($rulecolgroup.properties.RuleCollection.rules.RuleType -contains "NatRule")
        {
            $rulecolgroup.properties.RuleCollection.rules|Select-Object Name,RuleType,TranslatedPort,TranslatedAddress,@{n="SourceAddresses";e={$_.SourceAddresses -join ","}},@{n="SourceIpGroups";e={$_.SourceIpGroups -join ","}},@{n="Protocols";e={$_.Protocols -join ","}},@{n="DestinationAddresses";e={$_.DestinationAddresses -join ","}},@{n="DestinationPorts";e={$_.DestinationPorts -join ","}}|Export-Csv -Path "C:\Users\<Enter_your_path>\DnatRules.csv" -Append -NoTypeInformation -Force
        }
    
    }
    
    

    Below is the sample of CSV files created.

    Network Rules:

    User's image

    Dnat Rules:

    User's image

    Application Rules:

    User's image

    If you not have PowerShell installed on your local machine, you can follow the documentation here. The script above uses Az.Network module .

    Hope this helps! Please let me know if you face any issues while running the script.


    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    3 people found this answer helpful.

4 additional answers

Sort by: Most helpful
  1. Oscar de Groot 11 Reputation points
    2025-01-07T13:22:00.2166667+00:00

    To get back to the original question, namely querying details of Azure Firewall rules via Azure Resource Graph:

    This is possible via Resource Graph. (Contrary to the previous answer - perhaps support was added since 2023.) The query specifics depend on whether you have your rules in the Firewall itself, or in a linked Firewall Policy.

    For Firewall Policy:

    networkresources
    | where type == 'microsoft.network/firewallpolicies/rulecollectiongroups'
    | extend firewallPolicyName = extract(@"firewallPolicies/([\w-]+)", 1, id)
    | project-rename ruleCollectionGroupName = name
    | order by ruleCollectionGroupName asc
    | mv-expand ruleCollection = properties.ruleCollections
    | mv-expand rule = ruleCollection.rules
    | limit 10
    

    For Firewall:

    resources
    | where type == "microsoft.network/azurefirewalls"
    | mv-expand ruleCollectionGroup = properties.ruleCollectionGroups
    | mv-expand rule = todynamic(ruleCollectionGroup.properties).rules
    

    In both cases, under the rule column, you get rule details like the rule name, destinationAddresses IP-ranges, etc.

    2 people found this answer helpful.
    0 comments No comments

  2. Lab Coat1 6 Reputation points
    2023-08-18T20:25:00.3433333+00:00

    This may be an old thread. But using the powershell script it has some issues.

    Does not associate the rule collection name or priority. (not fun to have to go back and edit the file manually)

    Does not include FQDNs in the source or destination columns. (speaking of the Network rules here. Does show in Application rules).

    Perhaps there is now a better way to get a CSV or similar file?

    0 comments No comments

  3. Paul Shay 26 Reputation points
    2024-02-29T16:17:40.5466667+00:00

    The script as it stands doesn't separate between Application and Network rules correctly. you can fix it like this:

        foreach ($rule in $rulecolgroup.properties.RuleCollection.rules)
        {
            if ($rule.RuleType -eq "NetworkRule")
            {
                # Select the desired properties for Network rules
                $rule | Select-Object $networkRuleProperties | Export-Csv -Path "~/Desktop/NetworkRules.csv" -Append -NoTypeInformation -Force
            }
            elseif ($rule.RuleType -eq "ApplicationRule")
            {
                # Select the desired properties for Application rules
                $rule | Select-Object $applicationRuleProperties | Export-Csv -Path "~/Desktop/ApplicationRules.csv" -Append -NoTypeInformation -Force
            }
        }
    
    0 comments No comments

  4. Sjoerd van den Berg 0 Reputation points
    2024-06-02T10:21:09.4033333+00:00

    For anyone who is interested I created my own version of this which also retrieves Azure IP Group names instead of having the raw resourceIds clogging the CSV files.

    The script will also output the configuration in JSON format.

    You can find the script here: https://gist.github.com/bergsj/7b6b9a8ea5fb97674c5ba7e2f2190b57

    Thanks to @ChaitanyaNaykodi-MSFT for the step in the right direction.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.