Sample Configuration for Post vWAN Deployment
Table of Contents
Expand all | Collapse all
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Sample Configuration for Post vWAN Deployment
Sample configuration for post vWAN deployments in CNGFW for Azure.
Post deployment
After verifying the deployment, perform the following post deployment tasks:
Create or update a rulestack
To update an existing rulestack:
- In the Azure Resource Manager (ARM) console, clickRulestacksfor the Cloud NGFW resource you want to configure. The rulestack associated with the Cloud NGFW service appears, along with the resource group.
- Modify the rulestack to add firewall rules. These rules allow some traffic while blocking specific traffic. By default, Cloud NGFW blocks all traffic. Search for the local rulestack you created previously using the global search option provided by the Azure portal.
- Select the previously created local rulestack associated with your Cloud NGFW subscription, then selectRules.
- In theLocal Rulessection, clickAdd. In theAdd Rulewindow, modify the rules. For example, add a rule that allows traffic; complete the mandatory fields and use the default settings for remaining fields.
- Enable logging for the rule. In the Add Rule window, selectLogging.
- ClickValidate, thenAddto add the rule to the rulestack.
- Add aFQDN listthat specifies a URL, then specify an action to take. For example, you can apply an action to the FQDN rule to drop traffic attempting to access the URL www.facebook.com.Verify that the URL you entered appears in the FQDN list.
- Return to theRulessetting page and add a rule that matches the newly created FQDN list. Set the action toDroptraffic.Both rules appear in the Local Rules page.
- As part of the Cloud NGFW service, security profiles are enabled with best practice configurations by default. Traffic is secured with the best security profiles when you start and deploy the service. SelectProfilesto view these security profiles.
- After modifying rules, deploy them onto the local rulestack associated with the Cloud NGFW service. ClickDeployment. The deployment status appears asCandidate; this means that the configuration was built but not yet deployed. ClickDeploy Configurationto deploy the configuration onto the Cloud NGFW service.You must complete this step to deploy the rulestack.
- After clickingDeploy Configuration, a message displays the firewalls associated with the rulestack. ClickDeployto configure this rulestack on all the associated firewalls using the rulestack.After successfully deploying the configuration, the screen displays the deployment status as Running (the Cloud NGFW and local rulestack are successfully deployed).
Source/destination NAT rule on the Cloud NGFW
Configure a destination NAT rule with frontend configuration on the Cloud
NGFW to direct inbound traffic towards an application on the vWAN.
- Access theNetworking & NATsettings screen for the Cloud NGFW resource. In this screen, determine if the network type isVirtual WAN Huband the status of theSource NATfield (enabled or disabled); if Source NAT was enabled, it appears in this screen.
- ClickEditto add the Destination NAT rule.
- Adda Destination NAT rule for the frontend configuration. The frontend IP address represents the public IP address associated with the Cloud NGFW. Use the drop-down menu to select the address.
- Add frontend setting information to the rule, and clickAdd.Once the destination NAT rule is added, click Save to deploy the configuration to the Cloud NGFW resource.After successfully saving the configuration, the Destination Network Address Translation (DNAT) field displays the updates; the address http://frontendIP:8080 is redirected to the noted application on the specified port through the Cloud NGFW; inbound traffic is now flowing through the Cloud NGFW.
Configure Logging
Before configuring logging on the Cloud NGFW, create the
Log Analytics
workspace on Azure.- In the Azure portal search for theAzure Log Analytics workspace. ClickLog Analytics Workspacesto add it as a service.
- ClickCreateto establish a newLog Analyticsworkspace.
- In the Create Log Analytics workspace provideInstancedetails. Select theNameof the workspace from the drop-down menu, and specify theRegion.
- Configure log settings in the Cloud NGFW resource. SelectLog Settings. ClickEdit.
- In theLog Settingsfield, select the Log Analytics workspace previously created, then clickSave.
Add application vNETs as Virtual Networks Connections to the Virtual WAN
Add an application vNET as Virtual Network Connections to the Virtual WAN
hub.
- In your vWAN resource, selectVirtual Network Connections.
- ClickAdd connection.
- Select the vNET you want to configure as theVirtual Network, then clickCreate.
- Select another vNET for the second Virtual Network, then clickCreate.
- After successfully connecting the virtual networks to the vHub, verify that the status isConnected.
Configure vWAN Hub Routing Intent and Routing Policies
Routing policies within the virtual WAN hub are used to route traffic through
the Cloud NGFW service. To route internet bound traffic and private traffic
(spoke to spoke) you need to configure the next hop as the vWAN Cloud
NGFW.
vWAN routing intent, routing policies and SaaS
functionality is currently being developed by Microsoft for the Azure
Portal. The target availability date for every region where Cloud NGFW is
available is Tuesday, May 9, 2023.
- In your vWAN resource, selectRouting Intent and Routing Policies.
- Select the Internet traffic and the Next Hop Resource from the drop-down menus, then clickSave.
- After configuring routing policies, verify the routing table was updated to route traffic through Cloud NGFW. ClickRoute Tablesand selectDefaultin theRoute Tablessection.You canEditthe route table to provide details related to the routes associated with the Default Routing table. Traffic going out to the internet or to other vNETs is routed through the Cloud NGFW.
- Select another vNET for the second Virtual Network, then clickCreate.
- After successfully connecting the virtual networks to the virtual WAN hub, verify that the status isConnected.