Microsoft Azure

Azure Resource Manager

Dashboard Widgets

General (General overview of the system)

Audit (The number of rules with expired access or will have access expire within the next month)

Browsers

Rule Viewer (see Rule Viewer)

Object Lookup (See Object Lookup)

Changes (see Change Browser)

Device Viewer (see Device Viewer)

Change Management

Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)

Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)

Topology

Azure Virtual WAN

Dynamic Topology

Calculate impact of NSGs

Connectivity between VNets

ExpressRoute

VNet peering

Connectivity via VPN

Internal load balancer

Supported Devices

The following devices are supported on Microsoft Azure:

Fortinet
FortiManager
FortiGate
Check Point
Management Devices (MDS) CloudGuard Network Security - Firewall & Threat Prevention
Checkpoint Gateway with dynamic routes
Palo Alto
Panorama

Notes for Azure Resource Manager

  • Azure Resource Manager is the supported device type.

  • PCI DSS compliance is not currently supported.

  • Azure Classic (Azure Service Management API): Support for this device has reached its "end of life" (EOL).

  • Regarding Application Security Groups (ASGs), to see the members of an ASG in the Rule Viewer, the Virtual Machines (VMs) that are associated with the ASGs must be connected to the same Virtual Network (VNET) as the Network Security Group (NSG) that contains the ASG.

  • The Rule and Objects Usage report does not include data for Azure Firewalls or Azure NSGs. However, after configuring Azure to allow TOS Aurora to pull traffic information, you can use TQL queries in the Rule Viewer (timeLastHit) to see the Last Hit date.

  • You can schedule and run reports to identify Azure Firewalls and NSGs unused rules using the Rule Analytics report / Security Best Practices reports in SecureTrack Reporting Essentials.

  • Importing Virtual Networks requires that the vnet has at least one VNIC.

Azure Firewall and Firewall Policy

Dashboard Widgets

General (General overview of the system)

USP Compliance (The number of rules with violations, according to their severity level)

Change Management

Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)

Topology

Path Analysis

Calculate impact of Azure Firewall policies

Browsers

Rule Viewer (see Rule Viewer)

USP Viewer (see USP Viewer)

USP Alert Manager Viewer (see USP Alerts Manager)

USP Exceptions Viewer (see USP Exceptions)

Notes for Azure

  • In some cases, this device creates new rules for requested changes rather than updating the existing rules. In these cases, rule history might not be available.
  • Classic rules - rules that have been configured on the firewall directly and not included in Azure firewall policies - are not supported.
  • When a new Azure Firewall is added to TOS, zones are mapped after the policy is received for the first time and therefore violations can be calculated only after receiving a subsequent revision. See Monitoring Microsoft Azure Cloud Platform.