New-AzFirewallPolicy
Creates a new Azure Firewall Policy
Note
This is the previous version of our documentation. Please consult the most recent version for up-to-date information.
Syntax
New-AzFirewallPolicy
-Name <String>
-ResourceGroupName <String>
-Location <String>
[-ThreatIntelMode <String>]
[-ThreatIntelWhitelist <PSAzureFirewallPolicyThreatIntelWhitelist>]
[-BasePolicy <String>]
[-PrivateRange <String[]>]
[-DnsSetting <PSAzureFirewallPolicyDnsSettings>]
[-Tag <Hashtable>]
[-Force]
[-AsJob]
[-IntrusionDetection <PSAzureFirewallPolicyIntrusionDetection>]
[-TransportSecurityName <String>]
[-TransportSecurityKeyVaultSecretId <String>]
[-SkuTier <String>]
[-UserAssignedIdentityId <String>]
[-Identity <PSManagedServiceIdentity>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Description
The New-AzFirewallPolicy cmdlet creates an Azure Firewall Policy.
Examples
Example 1: 1. Create an empty policy
PS C:\> New-AzFirewallPolicy -Name fp1 -ResourceGroupName TestRgThis example creates an azure firewall policy
Example 2: 2. Create an empty policy with ThreatIntel Mode
PS C:\> New-AzFirewallPolicy -Name fp1 -ResourceGroupName TestRg -ThreatIntelMode "Deny"This example creates an azure firewall policy with a threat intel mode
Example 3: 3. Create an empty policy with ThreatIntel Whitelist
PS C:\> $threatIntelWhitelist = New-AzFirewallPolicyThreatIntelWhitelist -IpAddress 23.46.72.91,192.79.236.79 -FQDN microsoft.com
PS C:\> New-AzFirewallPolicy -Name fp1 -ResourceGroupName TestRg -ThreatIntelWhitelist $threatIntelWhitelistThis example creates an azure firewall policy with a threat intel whitelist
Example 4: 4. Create policy with intrusion detection, identity and transport security
PS C:\> $bypass = New-AzFirewallPolicyIntrusionDetectionBypassTraffic -Name "bypass-setting" -Protocol "TCP" -DestinationPort "80" -SourceAddress "10.0.0.0" -DestinationAddress
PS C:\> $signatureOverride = New-AzFirewallPolicyIntrusionDetectionSignatureOverride -Id "123456798" -Mode "Deny"
PS C:\> $intrusionDetection = New-AzFirewallPolicyIntrusionDetection -Mode "Alert" -SignatureOverride $signatureOverride -BypassTraffic $bypass
PS C:\> $userAssignedIdentity = '/subscriptions/9e223dbe-3399-4e19-88eb-0975f02ac87f/resourcegroups/TestRg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/user-assign-identity'
PS C:\> New-AzFirewallPolicy -Name fp1 -Location "westus2" -ResourceGroup TestRg -SkuTier "Premium" -IntrusionDetection $intrusionDetection -TransportSecurityName tsName -TransportSecurityKeyVaultSecretId "https://<keyvaultname>.vault.azure.net/secrets/cacert" -UserAssignedIdentityId $userAssignedIdentityThis example creates an azure firewall policy with a intrusion detection in mode alert, user assigned identity and transport security
Example 5: 5. Create an empty Firewall Policy with customized private range setup
PS C:\> New-AzFirewallPolicy -Name fp1 -ResourceGroupName TestRg -PrivateRange @("99.99.99.0/24", "66.66.0.0/16")This example creates a Firewall that treats "99.99.99.0/24" and "66.66.0.0/16" as private ip ranges and won't snat traffic to those addresses
Parameters
Run cmdlet in the background
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
The base policy to inherit from
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
The credentials, account, tenant, and subscription used for communication with Azure.
| Type: | IAzureContextContainer |
| Aliases: | AzContext, AzureRmContext, AzureCredential |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
The DNS Setting
| Type: | PSAzureFirewallPolicyDnsSettings |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Do not ask for confirmation if you want to overwrite a resource
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Firewall Policy Identity to be assigned to Firewall Policy.
| Type: | PSManagedServiceIdentity |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
The Intrusion Detection Setting
| Type: | PSAzureFirewallPolicyIntrusionDetection |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
location.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
The resource name.
| Type: | String |
| Aliases: | ResourceName |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
The private IP ranges to which traffic won't be SNAT'ed
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
The resource group name.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Firewall policy sku tier
| Type: | String |
| Accepted values: | Standard, Premium |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
A hashtable which represents resource tags.
| Type: | Hashtable |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
The operation mode for Threat Intelligence.
| Type: | String |
| Accepted values: | Alert, Deny, Off |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
The whitelist for Threat Intelligence
| Type: | PSAzureFirewallPolicyThreatIntelWhitelist |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Transport security name
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
ResourceId of the user assigned identity to be assigned to Firewall Policy.
| Type: | String |
| Aliases: | UserAssignedIdentity |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |