Share via


az network firewall policy rule-collection-group collection rule

Note

This reference is part of the azure-firewall extension for the Azure CLI (version 2.61.0 or higher). The extension will automatically install the first time you run an az network firewall policy rule-collection-group collection rule command. Learn more about extensions.

Manage and configure the rule of a filter collection in the rule collection group of Azure firewall policy.

Filter collection supports having a list of network rules or application rules. NatRule collection supports including a list of nat rules.

Commands

Name Description Type Status
az network firewall policy rule-collection-group collection rule add

Add a rule into an Azure firewall policy rule collection.

Extension Preview
az network firewall policy rule-collection-group collection rule remove

Remove a rule from an Azure firewall policy rule collection.

Extension Preview
az network firewall policy rule-collection-group collection rule update

Update a rule of an Azure firewall policy rule collection.

Extension Preview

az network firewall policy rule-collection-group collection rule add

Preview

This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Add a rule into an Azure firewall policy rule collection.

az network firewall policy rule-collection-group collection rule add --collection-name
                                                                     --name
                                                                     --policy-name
                                                                     --rcg-name
                                                                     --resource-group
                                                                     --rule-type {ApplicationRule, NatRule, NetworkRule}
                                                                     [--add]
                                                                     [--description]
                                                                     [--dest-addr]
                                                                     [--dest-ipg]
                                                                     [--destination-fqdns]
                                                                     [--destination-ports]
                                                                     [--enable-tls-insp {0, 1, f, false, n, no, t, true, y, yes}]
                                                                     [--force-string {0, 1, f, false, n, no, t, true, y, yes}]
                                                                     [--fqdn-tags]
                                                                     [--http-headers-to-insert]
                                                                     [--ip-protocols]
                                                                     [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                                                     [--protocols]
                                                                     [--remove]
                                                                     [--set]
                                                                     [--source-addresses]
                                                                     [--source-ip-groups]
                                                                     [--target-fqdns]
                                                                     [--target-urls]
                                                                     [--translated-address]
                                                                     [--translated-fqdn]
                                                                     [--translated-port]
                                                                     [--web-categories]

Required Parameters

--collection-name

The name of the rule collection in Firewall Policy Rule Collection Group.

--name -n

The name of the Firewall Policy Rule Collection Group.

--policy-name

The name of the Firewall Policy.

--rcg-name --rule-collection-group-name

The name of the Firewall Policy Rule Collection Group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--rule-type

The type of rule.

Accepted values: ApplicationRule, NatRule, NetworkRule

Optional Parameters

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--description

The description of rule.

--dest-addr --destination-addresses

Space-separated list of destination IP addresses. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--dest-ipg --destination-ip-groups

Space-separated list of name or resource id of destination IpGroups. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--destination-fqdns

Space-separated list of destination FQDNs. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--destination-ports

Space-separated list of destination ports. This argument is supported for Nat and Network Rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--enable-tls-insp --enable-tls-inspection

Enable flag to terminate TLS connection for this rule.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
Default value: False
--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--fqdn-tags

Space-separated list of FQDN tags for this rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--http-headers-to-insert

Space-separated list of HTTP headers to insert, in NAME=VALUE format. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--ip-protocols

Space-separated list of IP protocols. This argument is supported for Nat and Network Rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--no-wait

Do not wait for the long-running operation to finish.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--protocols

Space-separated list of protocols and port numbers to use, in PROTOCOL=PORT format. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--remove

Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.

--source-addresses

Space-separated list of source IP ddresses. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--source-ip-groups

Space-separated list of name or resource id of source IpGroups. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--target-fqdns

Space-separated list of FQDNs for this rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--target-urls

Space-separated list of target urls for this rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--translated-address

Translated address for this NAT rule collection.

--translated-fqdn

Translated FQDN for this NAT rule collection.

--translated-port

Translated port for this NAT rule collection.

--web-categories

Space-separated list of web categories for this rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network firewall policy rule-collection-group collection rule remove

Preview

This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Remove a rule from an Azure firewall policy rule collection.

Filter collection supports having a list of network rules or application rules. NatRule collection supports including a list of nat rules.

az network firewall policy rule-collection-group collection rule remove --collection-name
                                                                        --name
                                                                        --policy-name
                                                                        --rcg-name
                                                                        --resource-group
                                                                        [--add]
                                                                        [--force-string {0, 1, f, false, n, no, t, true, y, yes}]
                                                                        [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                                                        [--remove]
                                                                        [--set]

Required Parameters

--collection-name

The name of the rule collection in Firewall Policy Rule Collection Group.

--name -n

The name of the Firewall Policy Rule Collection Group.

--policy-name

The name of the Firewall Policy.

--rcg-name --rule-collection-group-name

The name of the Firewall Policy Rule Collection Group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--no-wait

Do not wait for the long-running operation to finish.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--remove

Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network firewall policy rule-collection-group collection rule update

Preview

This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Update a rule of an Azure firewall policy rule collection.

Filter collection supports having a list of network rules or application rules. NatRule collection supports including a list of nat rules.

az network firewall policy rule-collection-group collection rule update --collection-name
                                                                        --name
                                                                        --policy-name
                                                                        --rcg-name
                                                                        --resource-group
                                                                        [--add]
                                                                        [--description]
                                                                        [--dest-addr]
                                                                        [--dest-ipg]
                                                                        [--destination-fqdns]
                                                                        [--destination-ports]
                                                                        [--enable-tls-insp {0, 1, f, false, n, no, t, true, y, yes}]
                                                                        [--force-string {0, 1, f, false, n, no, t, true, y, yes}]
                                                                        [--fqdn-tags]
                                                                        [--http-headers-to-insert]
                                                                        [--ip-protocols]
                                                                        [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                                                        [--protocols]
                                                                        [--remove]
                                                                        [--set]
                                                                        [--source-addresses]
                                                                        [--source-ip-groups]
                                                                        [--target-fqdns]
                                                                        [--target-urls]
                                                                        [--translated-address]
                                                                        [--translated-fqdn]
                                                                        [--translated-port]
                                                                        [--web-categories]

Examples

Update a rule of an Azure firewall policy rule collection.

az network firewall policy rule-collection-group collection rule update -g {rg} --policy-
name {policy} --rule-collection-group-name {rcg} --collection-name {cn} -n {rule_name}
--target-fqdns XXX

Required Parameters

--collection-name

The name of the rule collection in Firewall Policy Rule Collection Group.

--name -n

The name of the Firewall Policy Rule Collection Group.

--policy-name

The name of the Firewall Policy.

--rcg-name --rule-collection-group-name

The name of the Firewall Policy Rule Collection Group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--description

The description of rule.

--dest-addr --destination-addresses

Space-separated list of destination IP addresses. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--dest-ipg --destination-ip-groups

Space-separated list of name or resource id of destination IpGroups. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--destination-fqdns

Space-separated list of destination FQDNs. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--destination-ports

Space-separated list of destination ports. This argument is supported for Nat and Network Rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--enable-tls-insp --enable-tls-inspection

Enable flag to terminate TLS connection for this rule.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
Default value: False
--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--fqdn-tags

Space-separated list of FQDN tags for this rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--http-headers-to-insert

Space-separated list of HTTP headers to insert, in NAME=VALUE format. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--ip-protocols

Space-separated list of IP protocols. This argument is supported for Nat and Network Rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--no-wait

Do not wait for the long-running operation to finish.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--protocols

Space-separated list of protocols and port numbers to use, in PROTOCOL=PORT format. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--remove

Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.

--source-addresses

Space-separated list of source IP addresses. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--source-ip-groups

Space-separated list of name or resource id of source IpGroups. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--target-fqdns

Space-separated list of FQDNs for this rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--target-urls

Space-separated list of target urls for this rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--translated-address

Translated address for this NAT rule collection.

--translated-fqdn

Translated FQDN for this NAT rule collection.

--translated-port

Translated port for this NAT rule collection.

--web-categories

Space-separated list of web categories for this rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.