Microsoft Azure

Azure Resource Manager

Dashboard Widgets

General (General overview of the system)

Audit (The number of rules with expired access or will have access expire within the next month)

Browsers

Rule Viewer (see Rule Viewer)

Object Lookup (See Object Lookup)

Changes (see Change Browser)

Device Viewer (see Device Viewer)

Change Management

Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)

Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)

Topology

Azure Virtual WAN

Dynamic Topology

Calculate impact of NSGs

Connectivity between VNets

ExpressRoute

VNet peering

Connectivity via VPN

Internal load balancer

Supported Devices

The following devices are supported on Microsoft Azure:

Fortinet
FortiManager
FortiGate
Check Point
Management Devices (MDS) CloudGuard Network Security - Firewall & Threat Prevention
Checkpoint Gateway with dynamic routes
Palo Alto
Panorama

Notes for Azure Resource Manager

  • Azure Resource Manager is the supported device type.

  • PCI DSS compliance is not currently supported.

  • Azure Classic (Azure Service Management API): Support for this device has reached its "end of life" (EOL).

  • Regarding Application Security Groups (ASGs), to see the members of an ASG in the Rule Viewer, the Virtual Machines (VMs) that are associated with the ASGs must be connected to the same Virtual Network (VNET) as the Network Security Group (NSG) that contains the ASG.

  • VirtualWan: You can import secured virtual hubs to Tufin when the Routing Intent and Routing Policies setting points to the Azure firewall in the configuration.

  • Importing Virtual Networks requires that the vnet has at least one VNIC.

  • Rule and object usage collection and analysis: First, configure Azure to allow TOS Aurora to pull traffic information. After configuration, the Last Hit field is populated in the Rule Viewer. From Rule Viewer, search timeLastHit to identify unused rules, For NSGs, you can also search object.timeLastHitand object.notHit to identify unused objects within rules. For details, see TQL queries in the Rule Viewer.

    Schedule and run reports on unused rules (and objects, for NSGs) using the Rule Analytics report in SecureTrack Reporting Essentials. The data is not supported in the Rule and Objects Usage report.

Azure Firewall and Firewall Policy

Dashboard Widgets

General (General overview of the system)

USP Compliance (The number of rules with violations, according to their severity level)

Change Management

Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)

Topology

Path Analysis

Calculate impact of Azure Firewall policies

Browsers

Rule Viewer (see Rule Viewer)

USP Viewer (see USP Viewer)

USP Alert Manager Viewer (see USP Alerts Manager)

USP Exceptions Viewer (see USP Exceptions)

Notes for Azure Firewall and Firewall Policy

  • In some cases, this device creates new rules for requested changes rather than updating the existing rules. In these cases, rule history might not be available.
  • Classic rules - rules that have been configured on the firewall directly and not included in Azure firewall policies - are not supported.
  • When a new Azure Firewall is added to TOS, zones are mapped after the policy is received for the first time and therefore violations can be calculated only after receiving a subsequent revision. See Monitoring Microsoft Azure Cloud Platform.

  • Azure Firewalls: Azure firewall in a secured virtual hub is supported when Routing Intent and Routing Policies is set on the hub.

  • Rule usage collection and analysis: First, configure Azure to allow TOS Aurora to pull traffic information. After configuration, the Last Hit field is populated in the Rule Viewer. From Rule Viewer, search timeLastHit to identify unused rules. For details, see TQL queries in the Rule Viewer.

    Schedule and run reports on unused rules using the Rule Analytics report in SecureTrack Reporting Essentials. The data is not supported in the Rule and Objects Usage report.