Add a Next Generation Firewall in Azure Security Center
Azure Security Center may recommend that you add a next generation firewall (NGFW) from a Microsoft partner to increase your security protections. This document walks you through an example of how to do this.
This document introduces the service by using an example deployment. This is not a step-by-step guide.
Implement the recommendation
- In the Recommendations blade, select Add a Next Generation Firewall.
- In the Add a Next Generation Firewall blade, select an endpoint.
- A second Add a Next Generation Firewall blade opens. You can choose to use an existing solution if available or you can create a new one. In this example, there are no existing solutions available so we create an NGFW.
- To create an NGFW, select a solution from the list of integrated partners. In this example, we select Check Point.
- The Check Point blade opens providing you information about the partner solution. Select Create in the information blade.
- The Create virtual machine blade opens. Here you can enter information required to spin up a virtual machine (VM) that runs the NGFW. Follow the steps and provide the NGFW information required. Select OK to apply.
Route traffic through NGFW only
Return to the Recommendations blade. A new entry was generated after you added an NGFW via Security Center, called Route traffic through NGFW only. This recommendation is created only if you installed your NGFW through Security Center. If you have Internet-facing endpoints, Security Center recommends that you configure Network Security Group rules that force inbound traffic to your VM through your NGFW.
- In the Recommendations blade, select Route traffic through NGFW only.
- This opens the blade Route traffic through NGFW only, which lists VMs that you can route traffic to. Select a VM from the list.
- A blade for the selected VM opens, displaying related inbound rules. A description provides you with more information on possible next steps. Select Edit inbound rules to proceed with editing an inbound rule. The expectation is that Source is not set to Any for the Internet-facing endpoints linked with the NGFW. To learn more about the properties of the inbound rule, see security rules.
This document showed you how to implement the Security Center recommendation "Add a Next Generation Firewall." To learn more about NGFWs and the Check Point partner solution, see the following:
To learn more about Security Center, see the following:
- Setting security policies in Azure Security Center -- Learn how to configure security policies.
- Managing security recommendations in Azure Security Center -- Learn how recommendations help you protect your Azure resources.
- Security health monitoring in Azure Security Center -- Learn how to monitor the health of your Azure resources.
- Managing and responding to security alerts in Azure Security Center -- Learn how to manage and respond to security alerts.
- Monitoring partner solutions with Azure Security Center -- Learn how to monitor the health status of your partner solutions.
- Azure Security Center FAQ -- Find frequently asked questions about using the service.
- Azure Security blog -- Find blog posts about Azure security and compliance.