On This Page
Microsoft Azure
Azure Resource Manager
- Dashboard Widgets
-
General (General overview of the system)
-
Audit (The number of rules with expired access or will have access expire within the next month)
- Browsers
-
Rule Viewer (see Rule Viewer)
-
Object Lookup (See Object Lookup)
-
Changes (see Change Browser)
-
Device Viewer (see Device Viewer)
- Change Management
-
Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)
-
Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)
- Topology
-
Azure Virtual WAN
-
Dynamic Topology
-
Calculate impact of NSGs
-
Connectivity between VNets
-
ExpressRoute
-
VNet peering
-
Connectivity via VPN
-
Internal load balancer
Supported Devices
The following devices are supported on Microsoft Azure:
- Fortinet
- FortiManager
- FortiGate
- Check Point
- Management Devices (MDS) CloudGuard Network Security - Firewall & Threat Prevention
- Checkpoint Gateway with dynamic routes
- Palo Alto
- Panorama
Notes for Azure Resource Manager
-
Azure Resource Manager is the supported device type.
-
PCI DSS compliance is not currently supported.
-
Azure Classic (Azure Service Management API): Support for this device has reached its "end of life" (EOL).
-
Regarding Application Security Groups (ASGs), to see the members of an ASG in the Rule Viewer, the Virtual Machines (VMs) that are associated with the ASGs must be connected to the same Virtual Network (VNET) as the Network Security Group (NSG) that contains the ASG.
-
The Rule and Objects Usage report does not include data for Azure Firewalls or Azure NSGs. However, after configuring Azure to allow TOS Aurora to pull traffic information, you can use TQL queries in the Rule Viewer (
timeLastHit
) to see the Last Hit date. -
You can schedule and run reports to identify Azure Firewalls and NSGs unused rules using the Rule Analytics report / Security Best Practices reports in SecureTrack Reporting Essentials.
-
Importing Virtual Networks requires that the vnet has at least one VNIC.
Azure Firewall and Firewall Policy
- Dashboard Widgets
-
General (General overview of the system)
-
USP Compliance (The number of rules with violations, according to their severity level)
- Change Management
-
Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)
- Topology
-
Path Analysis
-
Calculate impact of Azure Firewall policies
- Browsers
-
Rule Viewer (see Rule Viewer)
-
USP Viewer (see USP Viewer)
-
USP Alert Manager Viewer (see USP Alerts Manager)
-
USP Exceptions Viewer (see USP Exceptions)
Notes for Azure
- In some cases, this device creates new rules for requested changes rather than updating the existing rules. In these cases, rule history might not be available.
- Classic rules - rules that have been configured on the firewall directly and not included in Azure firewall policies - are not supported.
-
When a new Azure Firewall is added to TOS, zones are mapped after the policy is received for the first time and therefore violations can be calculated only after receiving a subsequent revision. See Monitoring Microsoft Azure Cloud Platform.