Microsoft.Network firewallPolicies

Bicep resource definition

The firewallPolicies resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/firewallPolicies resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Network/firewallPolicies@2024-05-01' = {
  identity: {
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  location: 'string'
  name: 'string'
  properties: {
    basePolicy: {
      id: 'string'
    }
    dnsSettings: {
      enableProxy: bool
      requireProxyForNetworkRules: bool
      servers: [
        'string'
      ]
    }
    explicitProxy: {
      enableExplicitProxy: bool
      enablePacFile: bool
      httpPort: int
      httpsPort: int
      pacFile: 'string'
      pacFilePort: int
    }
    insights: {
      isEnabled: bool
      logAnalyticsResources: {
        defaultWorkspaceId: {
          id: 'string'
        }
        workspaces: [
          {
            region: 'string'
            workspaceId: {
              id: 'string'
            }
          }
        ]
      }
      retentionDays: int
    }
    intrusionDetection: {
      configuration: {
        bypassTrafficSettings: [
          {
            description: 'string'
            destinationAddresses: [
              'string'
            ]
            destinationIpGroups: [
              'string'
            ]
            destinationPorts: [
              'string'
            ]
            name: 'string'
            protocol: 'string'
            sourceAddresses: [
              'string'
            ]
            sourceIpGroups: [
              'string'
            ]
          }
        ]
        privateRanges: [
          'string'
        ]
        signatureOverrides: [
          {
            id: 'string'
            mode: 'string'
          }
        ]
      }
      mode: 'string'
      profile: 'string'
    }
    sku: {
      tier: 'string'
    }
    snat: {
      autoLearnPrivateRanges: 'string'
      privateRanges: [
        'string'
      ]
    }
    sql: {
      allowSqlRedirect: bool
    }
    threatIntelMode: 'string'
    threatIntelWhitelist: {
      fqdns: [
        'string'
      ]
      ipAddresses: [
        'string'
      ]
    }
    transportSecurity: {
      certificateAuthority: {
        keyVaultSecretId: 'string'
        name: 'string'
      }
    }
  }
  tags: {
    {customized property}: 'string'
  }
}

Property values

Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties

Name Description Value

DnsSettings

Name Description Value
enableProxy Enable DNS Proxy on Firewalls attached to the Firewall Policy. bool
requireProxyForNetworkRules FQDNs in Network Rules are supported when set to true. bool
servers List of Custom DNS Servers. string[]

ExplicitProxy

Name Description Value
enableExplicitProxy When set to true, explicit proxy mode is enabled. bool
enablePacFile When set to true, pac file port and url needs to be provided. bool
httpPort Port number for explicit proxy http protocol, cannot be greater than 64000. int

Constraints:
Min value = 0
Max value = 64000
httpsPort Port number for explicit proxy https protocol, cannot be greater than 64000. int

Constraints:
Min value = 0
Max value = 64000
pacFile SAS URL for PAC file. string
pacFilePort Port number for firewall to serve PAC file. int

Constraints:
Min value = 0
Max value = 64000

FirewallPolicyCertificateAuthority

Name Description Value
keyVaultSecretId Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault. string
name Name of the CA certificate. string

FirewallPolicyInsights

Name Description Value
isEnabled A flag to indicate if the insights are enabled on the policy. bool
logAnalyticsResources Workspaces needed to configure the Firewall Policy Insights. FirewallPolicyLogAnalyticsResources
retentionDays Number of days the insights should be enabled on the policy. int

FirewallPolicyIntrusionDetection

Name Description Value
configuration Intrusion detection configuration properties. FirewallPolicyIntrusionDetectionConfiguration
mode Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two. 'Alert'
'Deny'
'Off'
profile IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy. 'Advanced'
'Basic'
'Extended'
'Standard'

FirewallPolicyIntrusionDetectionBypassTrafficSpecifications

Name Description Value
description Description of the bypass traffic rule. string
destinationAddresses List of destination IP addresses or ranges for this rule. string[]
destinationIpGroups List of destination IpGroups for this rule. string[]
destinationPorts List of destination ports or ranges. string[]
name Name of the bypass traffic rule. string
protocol The rule bypass protocol. 'ANY'
'ICMP'
'TCP'
'UDP'
sourceAddresses List of source IP addresses or ranges for this rule. string[]
sourceIpGroups List of source IpGroups for this rule. string[]

FirewallPolicyIntrusionDetectionConfiguration

Name Description Value
bypassTrafficSettings List of rules for traffic to bypass. FirewallPolicyIntrusionDetectionBypassTrafficSpecifications[]
privateRanges IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property string[]
signatureOverrides List of specific signatures states. FirewallPolicyIntrusionDetectionSignatureSpecification[]

FirewallPolicyIntrusionDetectionSignatureSpecification

Name Description Value
id Signature id. string
mode The signature state. 'Alert'
'Deny'
'Off'

FirewallPolicyLogAnalyticsResources

Name Description Value
defaultWorkspaceId The default workspace Id for Firewall Policy Insights. SubResource
workspaces List of workspaces for Firewall Policy Insights. FirewallPolicyLogAnalyticsWorkspace[]

FirewallPolicyLogAnalyticsWorkspace

Name Description Value
region Region to configure the Workspace. string
workspaceId The workspace Id for Firewall Policy Insights. SubResource

FirewallPolicyPropertiesFormat

Name Description Value
basePolicy The parent firewall policy from which rules are inherited. SubResource
dnsSettings DNS Proxy Settings definition. DnsSettings
explicitProxy Explicit Proxy Settings definition. ExplicitProxy
insights Insights on Firewall Policy. FirewallPolicyInsights
intrusionDetection The configuration for Intrusion detection. FirewallPolicyIntrusionDetection
sku The Firewall Policy SKU. FirewallPolicySku
snat The private IP addresses/IP ranges to which traffic will not be SNAT. FirewallPolicySnat
sql SQL Settings definition. FirewallPolicySQL
threatIntelMode The operation mode for Threat Intelligence. 'Alert'
'Deny'
'Off'
threatIntelWhitelist ThreatIntel Whitelist for Firewall Policy. FirewallPolicyThreatIntelWhitelist
transportSecurity TLS Configuration definition. FirewallPolicyTransportSecurity

FirewallPolicySku

Name Description Value
tier Tier of Firewall Policy. 'Basic'
'Premium'
'Standard'

FirewallPolicySnat

Name Description Value
autoLearnPrivateRanges The operation mode for automatically learning private ranges to not be SNAT 'Disabled'
'Enabled'
privateRanges List of private IP addresses/IP address ranges to not be SNAT. string[]

FirewallPolicySQL

Name Description Value
allowSqlRedirect A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. bool

FirewallPolicyThreatIntelWhitelist

Name Description Value
fqdns List of FQDNs for the ThreatIntel Whitelist. string[]
ipAddresses List of IP addresses for the ThreatIntel Whitelist. string[]

FirewallPolicyTransportSecurity

Name Description Value
certificateAuthority The CA used for intermediate CA generation. FirewallPolicyCertificateAuthority

ManagedServiceIdentity

Name Description Value
type The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned'
userAssignedIdentities The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. ManagedServiceIdentityUserAssignedIdentities

ManagedServiceIdentityUserAssignedIdentities

Name Description Value

Microsoft.Network/firewallPolicies

Name Description Value
identity The identity of the firewall policy. ManagedServiceIdentity
location Resource location. string
name The resource name string (required)
properties Properties of the firewall policy. FirewallPolicyPropertiesFormat
tags Resource tags Dictionary of tag names and values. See Tags in templates

ResourceTags

Name Description Value

SubResource

Name Description Value
id Resource ID. string

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
Create a Firewall and FirewallPolicy with Rules and Ipgroups This template deploys an Azure Firewall with Firewall Policy (including multiple application and network rules) referencing IP Groups in application and network rules.
Secured virtual hubs This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet.
SharePoint Subscription / 2019 / 2016 fully configured Create a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc... The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed. SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...).
Testing environment for Azure Firewall Premium This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.

ARM template resource definition

The firewallPolicies resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/firewallPolicies resource, add the following JSON to your template.

{
  "type": "Microsoft.Network/firewallPolicies",
  "apiVersion": "2024-05-01",
  "name": "string",
  "identity": {
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
      }
    }
  },
  "location": "string",
  "properties": {
    "basePolicy": {
      "id": "string"
    },
    "dnsSettings": {
      "enableProxy": "bool",
      "requireProxyForNetworkRules": "bool",
      "servers": [ "string" ]
    },
    "explicitProxy": {
      "enableExplicitProxy": "bool",
      "enablePacFile": "bool",
      "httpPort": "int",
      "httpsPort": "int",
      "pacFile": "string",
      "pacFilePort": "int"
    },
    "insights": {
      "isEnabled": "bool",
      "logAnalyticsResources": {
        "defaultWorkspaceId": {
          "id": "string"
        },
        "workspaces": [
          {
            "region": "string",
            "workspaceId": {
              "id": "string"
            }
          }
        ]
      },
      "retentionDays": "int"
    },
    "intrusionDetection": {
      "configuration": {
        "bypassTrafficSettings": [
          {
            "description": "string",
            "destinationAddresses": [ "string" ],
            "destinationIpGroups": [ "string" ],
            "destinationPorts": [ "string" ],
            "name": "string",
            "protocol": "string",
            "sourceAddresses": [ "string" ],
            "sourceIpGroups": [ "string" ]
          }
        ],
        "privateRanges": [ "string" ],
        "signatureOverrides": [
          {
            "id": "string",
            "mode": "string"
          }
        ]
      },
      "mode": "string",
      "profile": "string"
    },
    "sku": {
      "tier": "string"
    },
    "snat": {
      "autoLearnPrivateRanges": "string",
      "privateRanges": [ "string" ]
    },
    "sql": {
      "allowSqlRedirect": "bool"
    },
    "threatIntelMode": "string",
    "threatIntelWhitelist": {
      "fqdns": [ "string" ],
      "ipAddresses": [ "string" ]
    },
    "transportSecurity": {
      "certificateAuthority": {
        "keyVaultSecretId": "string",
        "name": "string"
      }
    }
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property values

Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties

Name Description Value

DnsSettings

Name Description Value
enableProxy Enable DNS Proxy on Firewalls attached to the Firewall Policy. bool
requireProxyForNetworkRules FQDNs in Network Rules are supported when set to true. bool
servers List of Custom DNS Servers. string[]

ExplicitProxy

Name Description Value
enableExplicitProxy When set to true, explicit proxy mode is enabled. bool
enablePacFile When set to true, pac file port and url needs to be provided. bool
httpPort Port number for explicit proxy http protocol, cannot be greater than 64000. int

Constraints:
Min value = 0
Max value = 64000
httpsPort Port number for explicit proxy https protocol, cannot be greater than 64000. int

Constraints:
Min value = 0
Max value = 64000
pacFile SAS URL for PAC file. string
pacFilePort Port number for firewall to serve PAC file. int

Constraints:
Min value = 0
Max value = 64000

FirewallPolicyCertificateAuthority

Name Description Value
keyVaultSecretId Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault. string
name Name of the CA certificate. string

FirewallPolicyInsights

Name Description Value
isEnabled A flag to indicate if the insights are enabled on the policy. bool
logAnalyticsResources Workspaces needed to configure the Firewall Policy Insights. FirewallPolicyLogAnalyticsResources
retentionDays Number of days the insights should be enabled on the policy. int

FirewallPolicyIntrusionDetection

Name Description Value
configuration Intrusion detection configuration properties. FirewallPolicyIntrusionDetectionConfiguration
mode Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two. 'Alert'
'Deny'
'Off'
profile IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy. 'Advanced'
'Basic'
'Extended'
'Standard'

FirewallPolicyIntrusionDetectionBypassTrafficSpecifications

Name Description Value
description Description of the bypass traffic rule. string
destinationAddresses List of destination IP addresses or ranges for this rule. string[]
destinationIpGroups List of destination IpGroups for this rule. string[]
destinationPorts List of destination ports or ranges. string[]
name Name of the bypass traffic rule. string
protocol The rule bypass protocol. 'ANY'
'ICMP'
'TCP'
'UDP'
sourceAddresses List of source IP addresses or ranges for this rule. string[]
sourceIpGroups List of source IpGroups for this rule. string[]

FirewallPolicyIntrusionDetectionConfiguration

Name Description Value
bypassTrafficSettings List of rules for traffic to bypass. FirewallPolicyIntrusionDetectionBypassTrafficSpecifications[]
privateRanges IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property string[]
signatureOverrides List of specific signatures states. FirewallPolicyIntrusionDetectionSignatureSpecification[]

FirewallPolicyIntrusionDetectionSignatureSpecification

Name Description Value
id Signature id. string
mode The signature state. 'Alert'
'Deny'
'Off'

FirewallPolicyLogAnalyticsResources

Name Description Value
defaultWorkspaceId The default workspace Id for Firewall Policy Insights. SubResource
workspaces List of workspaces for Firewall Policy Insights. FirewallPolicyLogAnalyticsWorkspace[]

FirewallPolicyLogAnalyticsWorkspace

Name Description Value
region Region to configure the Workspace. string
workspaceId The workspace Id for Firewall Policy Insights. SubResource

FirewallPolicyPropertiesFormat

Name Description Value
basePolicy The parent firewall policy from which rules are inherited. SubResource
dnsSettings DNS Proxy Settings definition. DnsSettings
explicitProxy Explicit Proxy Settings definition. ExplicitProxy
insights Insights on Firewall Policy. FirewallPolicyInsights
intrusionDetection The configuration for Intrusion detection. FirewallPolicyIntrusionDetection
sku The Firewall Policy SKU. FirewallPolicySku
snat The private IP addresses/IP ranges to which traffic will not be SNAT. FirewallPolicySnat
sql SQL Settings definition. FirewallPolicySQL
threatIntelMode The operation mode for Threat Intelligence. 'Alert'
'Deny'
'Off'
threatIntelWhitelist ThreatIntel Whitelist for Firewall Policy. FirewallPolicyThreatIntelWhitelist
transportSecurity TLS Configuration definition. FirewallPolicyTransportSecurity

FirewallPolicySku

Name Description Value
tier Tier of Firewall Policy. 'Basic'
'Premium'
'Standard'

FirewallPolicySnat

Name Description Value
autoLearnPrivateRanges The operation mode for automatically learning private ranges to not be SNAT 'Disabled'
'Enabled'
privateRanges List of private IP addresses/IP address ranges to not be SNAT. string[]

FirewallPolicySQL

Name Description Value
allowSqlRedirect A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. bool

FirewallPolicyThreatIntelWhitelist

Name Description Value
fqdns List of FQDNs for the ThreatIntel Whitelist. string[]
ipAddresses List of IP addresses for the ThreatIntel Whitelist. string[]

FirewallPolicyTransportSecurity

Name Description Value
certificateAuthority The CA used for intermediate CA generation. FirewallPolicyCertificateAuthority

ManagedServiceIdentity

Name Description Value
type The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned'
userAssignedIdentities The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. ManagedServiceIdentityUserAssignedIdentities

ManagedServiceIdentityUserAssignedIdentities

Name Description Value

Microsoft.Network/firewallPolicies

Name Description Value
apiVersion The api version '2024-05-01'
identity The identity of the firewall policy. ManagedServiceIdentity
location Resource location. string
name The resource name string (required)
properties Properties of the firewall policy. FirewallPolicyPropertiesFormat
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.Network/firewallPolicies'

ResourceTags

Name Description Value

SubResource

Name Description Value
id Resource ID. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create a Firewall and FirewallPolicy with Rules and Ipgroups

Deploy to Azure
This template deploys an Azure Firewall with Firewall Policy (including multiple application and network rules) referencing IP Groups in application and network rules.
Create a Firewall with FirewallPolicy and IpGroups

Deploy to Azure
This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup
Create a Firewall, FirewallPolicy with Explicit Proxy

Deploy to Azure
This template creates an Azure Firewall, FirewalllPolicy with Explicit Proxy and Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup
Create a sandbox setup with Firewall Policy

Deploy to Azure
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses. Also creates a Firewall policy with 1 sample application rule, 1 sample network rule and default private ranges
Secured virtual hubs

Deploy to Azure
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet.
SharePoint Subscription / 2019 / 2016 fully configured

Deploy to Azure
Create a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc... The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed. SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...).
Testing environment for Azure Firewall Premium

Deploy to Azure
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology

Deploy to Azure
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.

Terraform (AzAPI provider) resource definition

The firewallPolicies resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/firewallPolicies resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/firewallPolicies@2024-05-01"
  name = "string"
  identity = {
    type = "string"
    userAssignedIdentities = {
      {customized property} = {
      }
    }
  }
  location = "string"
  tags = {
    {customized property} = "string"
  }
  body = jsonencode({
    properties = {
      basePolicy = {
        id = "string"
      }
      dnsSettings = {
        enableProxy = bool
        requireProxyForNetworkRules = bool
        servers = [
          "string"
        ]
      }
      explicitProxy = {
        enableExplicitProxy = bool
        enablePacFile = bool
        httpPort = int
        httpsPort = int
        pacFile = "string"
        pacFilePort = int
      }
      insights = {
        isEnabled = bool
        logAnalyticsResources = {
          defaultWorkspaceId = {
            id = "string"
          }
          workspaces = [
            {
              region = "string"
              workspaceId = {
                id = "string"
              }
            }
          ]
        }
        retentionDays = int
      }
      intrusionDetection = {
        configuration = {
          bypassTrafficSettings = [
            {
              description = "string"
              destinationAddresses = [
                "string"
              ]
              destinationIpGroups = [
                "string"
              ]
              destinationPorts = [
                "string"
              ]
              name = "string"
              protocol = "string"
              sourceAddresses = [
                "string"
              ]
              sourceIpGroups = [
                "string"
              ]
            }
          ]
          privateRanges = [
            "string"
          ]
          signatureOverrides = [
            {
              id = "string"
              mode = "string"
            }
          ]
        }
        mode = "string"
        profile = "string"
      }
      sku = {
        tier = "string"
      }
      snat = {
        autoLearnPrivateRanges = "string"
        privateRanges = [
          "string"
        ]
      }
      sql = {
        allowSqlRedirect = bool
      }
      threatIntelMode = "string"
      threatIntelWhitelist = {
        fqdns = [
          "string"
        ]
        ipAddresses = [
          "string"
        ]
      }
      transportSecurity = {
        certificateAuthority = {
          keyVaultSecretId = "string"
          name = "string"
        }
      }
    }
  })
}

Property values

Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties

Name Description Value

DnsSettings

Name Description Value
enableProxy Enable DNS Proxy on Firewalls attached to the Firewall Policy. bool
requireProxyForNetworkRules FQDNs in Network Rules are supported when set to true. bool
servers List of Custom DNS Servers. string[]

ExplicitProxy

Name Description Value
enableExplicitProxy When set to true, explicit proxy mode is enabled. bool
enablePacFile When set to true, pac file port and url needs to be provided. bool
httpPort Port number for explicit proxy http protocol, cannot be greater than 64000. int

Constraints:
Min value = 0
Max value = 64000
httpsPort Port number for explicit proxy https protocol, cannot be greater than 64000. int

Constraints:
Min value = 0
Max value = 64000
pacFile SAS URL for PAC file. string
pacFilePort Port number for firewall to serve PAC file. int

Constraints:
Min value = 0
Max value = 64000

FirewallPolicyCertificateAuthority

Name Description Value
keyVaultSecretId Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault. string
name Name of the CA certificate. string

FirewallPolicyInsights

Name Description Value
isEnabled A flag to indicate if the insights are enabled on the policy. bool
logAnalyticsResources Workspaces needed to configure the Firewall Policy Insights. FirewallPolicyLogAnalyticsResources
retentionDays Number of days the insights should be enabled on the policy. int

FirewallPolicyIntrusionDetection

Name Description Value
configuration Intrusion detection configuration properties. FirewallPolicyIntrusionDetectionConfiguration
mode Intrusion detection general state. When attached to a parent policy, the firewall's effective IDPS mode is the stricter mode of the two. 'Alert'
'Deny'
'Off'
profile IDPS profile name. When attached to a parent policy, the firewall's effective profile is the profile name of the parent policy. 'Advanced'
'Basic'
'Extended'
'Standard'

FirewallPolicyIntrusionDetectionBypassTrafficSpecifications

Name Description Value
description Description of the bypass traffic rule. string
destinationAddresses List of destination IP addresses or ranges for this rule. string[]
destinationIpGroups List of destination IpGroups for this rule. string[]
destinationPorts List of destination ports or ranges. string[]
name Name of the bypass traffic rule. string
protocol The rule bypass protocol. 'ANY'
'ICMP'
'TCP'
'UDP'
sourceAddresses List of source IP addresses or ranges for this rule. string[]
sourceIpGroups List of source IpGroups for this rule. string[]

FirewallPolicyIntrusionDetectionConfiguration

Name Description Value
bypassTrafficSettings List of rules for traffic to bypass. FirewallPolicyIntrusionDetectionBypassTrafficSpecifications[]
privateRanges IDPS Private IP address ranges are used to identify traffic direction (i.e. inbound, outbound, etc.). By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. To modify default ranges, specify your Private IP address ranges with this property string[]
signatureOverrides List of specific signatures states. FirewallPolicyIntrusionDetectionSignatureSpecification[]

FirewallPolicyIntrusionDetectionSignatureSpecification

Name Description Value
id Signature id. string
mode The signature state. 'Alert'
'Deny'
'Off'

FirewallPolicyLogAnalyticsResources

Name Description Value
defaultWorkspaceId The default workspace Id for Firewall Policy Insights. SubResource
workspaces List of workspaces for Firewall Policy Insights. FirewallPolicyLogAnalyticsWorkspace[]

FirewallPolicyLogAnalyticsWorkspace

Name Description Value
region Region to configure the Workspace. string
workspaceId The workspace Id for Firewall Policy Insights. SubResource

FirewallPolicyPropertiesFormat

Name Description Value
basePolicy The parent firewall policy from which rules are inherited. SubResource
dnsSettings DNS Proxy Settings definition. DnsSettings
explicitProxy Explicit Proxy Settings definition. ExplicitProxy
insights Insights on Firewall Policy. FirewallPolicyInsights
intrusionDetection The configuration for Intrusion detection. FirewallPolicyIntrusionDetection
sku The Firewall Policy SKU. FirewallPolicySku
snat The private IP addresses/IP ranges to which traffic will not be SNAT. FirewallPolicySnat
sql SQL Settings definition. FirewallPolicySQL
threatIntelMode The operation mode for Threat Intelligence. 'Alert'
'Deny'
'Off'
threatIntelWhitelist ThreatIntel Whitelist for Firewall Policy. FirewallPolicyThreatIntelWhitelist
transportSecurity TLS Configuration definition. FirewallPolicyTransportSecurity

FirewallPolicySku

Name Description Value
tier Tier of Firewall Policy. 'Basic'
'Premium'
'Standard'

FirewallPolicySnat

Name Description Value
autoLearnPrivateRanges The operation mode for automatically learning private ranges to not be SNAT 'Disabled'
'Enabled'
privateRanges List of private IP addresses/IP address ranges to not be SNAT. string[]

FirewallPolicySQL

Name Description Value
allowSqlRedirect A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. bool

FirewallPolicyThreatIntelWhitelist

Name Description Value
fqdns List of FQDNs for the ThreatIntel Whitelist. string[]
ipAddresses List of IP addresses for the ThreatIntel Whitelist. string[]

FirewallPolicyTransportSecurity

Name Description Value
certificateAuthority The CA used for intermediate CA generation. FirewallPolicyCertificateAuthority

ManagedServiceIdentity

Name Description Value
type The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned'
userAssignedIdentities The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. ManagedServiceIdentityUserAssignedIdentities

ManagedServiceIdentityUserAssignedIdentities

Name Description Value

Microsoft.Network/firewallPolicies

Name Description Value
identity The identity of the firewall policy. ManagedServiceIdentity
location Resource location. string
name The resource name string (required)
properties Properties of the firewall policy. FirewallPolicyPropertiesFormat
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.Network/firewallPolicies@2024-05-01"

ResourceTags

Name Description Value

SubResource

Name Description Value
id Resource ID. string