In the Azure Resource Manager (ARM) console, click Rulestacks
for the Cloud NGFW resource you want to configure. The rulestack
associated with the Cloud NGFW service appears, along with the resource
group.
Modify the rulestack to add firewall rules. These rules allow some
traffic while blocking specific traffic. By default, Cloud NGFW blocks
all traffic. Search for the local rulestack you created previously using
the global search option provided by the Azure portal.
Select the previously created local rulestack associated with your
Cloud NGFW subscription, then select Rules.
In the Local Rules section, click Add. In the Add
Rule window, modify the rules. For example, add a rule that
allows traffic; complete the mandatory fields and use the default
settings for remaining fields.
Enable logging for the rule. In the Add Rule window, select
Logging.
Click Validate, then Add to add the rule to the
rulestack.
Add a FQDN list that specifies a URL, then specify an action to
take. For example, you can apply an action to the FQDN rule to drop
traffic attempting to access the URL www.facebook.com.
Verify that the URL you entered appears in the FQDN list.
Return to the Rules setting page and add a rule that matches the
newly created FQDN list. Set the action to Drop traffic.
Both rules appear in the Local Rules page.
As part of the Cloud NGFW service, security profiles are enabled with
best practice configurations by default. Traffic is secured with the
best security profiles when you start and deploy the service. Select
Profiles to view these security profiles.
After modifying rules, deploy them onto the local rulestack associated
with the Cloud NGFW service. Click Deployment. The deployment
status appears as Candidate; this means that the configuration
was built but not yet deployed. Click Deploy Configuration to
deploy the configuration onto the Cloud NGFW service. You must
complete this step to deploy the rulestack.
After clicking Deploy Configuration, a message displays the
firewalls associated with the rulestack. Click Deploy to
configure this rulestack on all the associated firewalls using the
rulestack.
After successfully deploying the configuration, the screen displays
the deployment status as Running (the Cloud NGFW and local rulestack
are successfully deployed).
Source/destination NAT rule on the Cloud NGFW
Configure a destination NAT rule with frontend configuration on the Cloud
NGFW to direct inbound traffic towards an application on the vWAN.
Access the Networking & NAT settings screen for the Cloud
NGFW resource. In this screen, determine if the network type is
Virtual WAN Hub and the status of the Source NAT field
(enabled or disabled); if Source NAT was enabled, it appears in this
screen.
Click Edit to add the Destination NAT rule.
Add a Destination NAT rule for the frontend configuration. The
frontend IP address represents the public IP address associated with the
Cloud NGFW. Use the drop-down menu to select the address.
Add frontend setting information to the rule, and click
Add.
Once the destination NAT rule is added, click Save to deploy the
configuration to the Cloud NGFW resource.
After successfully saving the configuration, the Destination Network
Address Translation (DNAT) field displays the updates; the address
http://frontendIP:8080 is redirected to the noted application on the
specified port through the Cloud NGFW; inbound traffic is now
flowing through the Cloud NGFW.
Configure Logging
Before configuring logging on the Cloud NGFW, create the Log Analytics
workspace on Azure.
In the Azure portal search for the Azure Log Analytics workspace.
Click Log Analytics Workspaces to add it as a service.
Click Create to establish a new Log
Analytics workspace.
In the Create Log Analytics workspace provide Instance details.
Select the Name of the workspace from the drop-down menu, and specify
the Region.
Configure log settings in the Cloud NGFW resource. Select Log
Settings. Click Edit.
In the Log Settings field, select the Log Analytics workspace
previously created, then click Save.
Add application vNETs as Virtual Networks Connections to the Virtual WAN
Add an application vNET as Virtual Network Connections to the Virtual WAN
hub.
In your vWAN resource, select Virtual Network Connections.
Click Add connection.
Select the vNET you want to configure as the Virtual Network, then
click Create.
Select another vNET for the second Virtual Network, then click
Create.
After successfully connecting the virtual networks to the vHub, verify that
the status is Connected.
Configure vWAN Hub Routing Intent and Routing Policies
Routing policies within the virtual WAN hub are used to route traffic through
the Cloud NGFW service. To route internet bound traffic and private traffic
(spoke to spoke) you need to configure the next hop as the vWAN Cloud
NGFW.
vWAN routing intent, routing policies and SaaS
functionality is currently being developed by Microsoft for the Azure
Portal. The target availability date for every region where Cloud NGFW is
available is Tuesday, May 9, 2023.
In your vWAN resource, select Routing Intent and Routing
Policies.
Select the Internet traffic and the Next Hop Resource from the
drop-down menus, then click Save.
After configuring routing policies, verify the routing table was
updated to route traffic through Cloud NGFW. Click Route Tables
and select Default in the Route Tables section.
You can Edit the route table to provide details related to the
routes associated with the Default Routing table. Traffic going out
to the internet or to other vNETs is routed through the Cloud
NGFW.
Select another vNET for the second Virtual Network, then click
Create.
After successfully connecting the virtual networks to the virtual WAN
hub, verify that the status is Connected.