question

JosephSundarRajPaulraj-7178 avatar image
0 Votes"
JosephSundarRajPaulraj-7178 asked JadAzure-8127 answered

List all Azure policy rule collections with Rules in PowerShell

Could someone help in getting me the equivalent PowerShell command for the below Az command?

az network firewall policy rule-collection-group list --policy-name <policyname> --resource-group <RG_Name>**

The requirement for me is to configure an automation account PowerShell runbook which will extract all the firewall rules and store as a file in blob. The script should run daily and retain the last 7 days file in blob.

I am not able to find the PowerShell command to fetch all the available Rule Collections. I can fetch ONLY if I pass the collection name as a parameter in cmdlet. Ex: (Get-AzFirewallPolicyRuleCollectionGroup -Name <Col_Name> -ResourceGroupName <RG_Name> -AzureFirewallPolicyName <Pol_Name>).Properties.RuleCollection

I should not pass the Collection name, as the collection may add or remove in daily run. I also tried the below possible PowerShell command, but it returns nothing.

$colids=(Get-AzFirewallPolicy -Name <Pol_Name> -ResourceGroupName <RG_Name>).rulecollectiongroups
foreach($colid in $colids)
{
    Get-AzFirewallPolicyRuleCollectionGroup -ResourceId $colid.id
}

Passing the resource ID of rule collection group directly for -ResourceId also returns nothing.











windows-server-powershellazure-firewallazure-firewall-manager
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

4 Answers

JosephSundarRajPaulraj-7178 avatar image
0 Votes"
JosephSundarRajPaulraj-7178 answered

Used below command as alternate and got the required output.

Export-AzResourceGroup -ResourceGroupName <RG_Name> -Resource <RID_AzPolicy>

Thank you everyone for trying to help. But still Get-AzFirewallPolicyRuleCollectionGroup -ResourceId <RID> should work.


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

suvasara-MSFT avatar image
0 Votes"
suvasara-MSFT answered

@JosephSundarRajPaulraj-7178 , Apologies for the delay in response. Looks like the Az Firewall network rule collection group commands were still under preview and under development.

This looks similar to this GitHub issue where on giving resourceID we see null.

Please do reach us at azcommunity@microsoft.com for further help on this PS module. Meanwhile, we will work with the respective PG team and will get back to you.

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.



5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered JosephSundarRajPaulraj-7178 commented

Hi there,

Use the Get-NetFirewallRule cmdlet to get the entire list, and then filter on the Enabled and Direction properties:

Get-NetFirewallRule | Where { $.Enabled –eq ‘True’ –and $.Direction –eq ‘Inbound’ }

The Get-NetFirewallRule cmdlet returns the instances of firewall rules that match the search parameters from the user.

This cmdlet returns one or more firewall rules by specifying the Name parameter (default), the DisplayName parameter, rule properties, or by associated filters or objects. The queried rules can be placed into variables and piped to other cmdlets for further modifications or monitoring.

Here are some articles as well to help you out https://docs.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2019-ps

https://devblogs.microsoft.com/scripting/powertip-use-powershell-to-list-firewall-rules/



--If the reply is helpful, please Upvote and Accept it as an answer--

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JosephSundarRajPaulraj-7178 avatar image JosephSundarRajPaulraj-7178 ·

Thanks for Reply, I believe these cmdlets are for Windows Firewall. But I am having issues with Azure Firewall.

0 Votes 0 ·
JadAzure-8127 avatar image
0 Votes"
JadAzure-8127 answered

Hey,

Following code should work, 

     # Get the config of the current Azure Firewall Policy
     $azFwPol = Get-AzFirewallPolicy -Name $fwPol -ResourceGroupName $resourceGroupName
        
     # Get RCGs IDs (didn't found a command that retrieve directly the RCGs Names)
     $rcgsIds = $azFwPol.RuleCollectionGroups
    
     # Get RCGs Names from RCGs IDs
     $rcgsNames =  foreach($rcgId in $rcgsIds) {
         $rcgId.Id.Substring($rcgId.Id.LastIndexOf("/")+1)
     }
    
     # For each RCG 
     foreach($rcgName in $rcgsNames) {
         # Get Azure RCG object
         $rcg = Get-AzFirewallPolicyRuleCollectionGroup -Name $rcgName -AzureFirewallPolicyName $fwPol -ResourceGroupName $resourceGroupName
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.