Table: azure_firewall_policy - Query Azure Firewall Policies using SQL
Azure Firewall Policy is a resource in Microsoft Azure that allows you to create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. It provides centralized network and application rule collections that can be referenced by multiple Azure Firewalls. Azure Firewall Policy simplifies management and reduces errors with its ability to manage all Azure Firewalls through Azure Policy and Azure Management Groups.
Table Usage Guide
The azure_firewall_policy table provides insights into Firewall Policies within Microsoft Azure. As a Network Administrator, explore policy-specific details through this table, including rules, settings, and associated metadata. Utilize it to uncover information about policies, such as those governing network traffic flow at the application and network level, providing a centralized way to manage and enforce network connectivity policies.
Examples
Basic info
Explore the characteristics of your Azure firewall policies such as their provisioning state, tier, base and child policies, and the region they're set up in. This helps in understanding the configuration and status of your firewall policies, assisting in security management and planning.
select name, id, type, provisioning_state, sku_tier, base_policy, child_policies, regionfrom azure_firewall_policy;select name, id, type, provisioning_state, sku_tier, base_policy, child_policies, regionfrom azure_firewall_policy;List policies that are in failed state
Identify instances where certain policies have not been provisioned successfully. This is useful for troubleshooting and rectifying issues to ensure all policies are active and functional.
select name, id, dns_settings, firewallsfrom azure_firewall_policywhere provisioning_state = 'Failed';select name, id, dns_settings, firewallsfrom azure_firewall_policywhere provisioning_state = 'Failed';Get firewall details of each policy
This query is used to explore the firewall details associated with each policy in Azure. It provides valuable insights into the private and public IP addresses associated with each firewall, aiding in network security management and policy review.
select p.name as firewall_policy_name, p.id as firewall_policy_id, f.id as firewall_id, f.hub_private_ip_address, f.hub_public_ip_address_countfrom azure_firewall_policy as p, jsonb_array_elements(p.firewalls) as firewall, azure_firewall as fwhere f.id = firewall ->> 'ID';select p.name as firewall_policy_name, p.id as firewall_policy_id, f.id as firewall_id, f.hub_private_ip_address, f.hub_public_ip_address_countfrom azure_firewall_policy as p, json_each(p.firewalls) as firewall, azure_firewall as fwhere f.id = json_extract(firewall.value, '$.ID');Get DNS setting details of each policy
This query helps to analyze the DNS settings for each policy in your Azure firewall. It's useful in understanding the server configurations, whether a proxy is enabled, and if a proxy is required for network rules, thus aiding in security and network management.
select name, id, dns_settings ->> 'Servers' as servers, dns_settings ->> 'EnableProxy' as enable_proxy, dns_settings ->> 'RequireProxyForNetworkRules' as require_proxy_for_network_rulesfrom azure_firewall_policy;select name, id, json_extract(dns_settings, '$.Servers') as servers, json_extract(dns_settings, '$.EnableProxy') as enable_proxy, json_extract(dns_settings, '$.RequireProxyForNetworkRules') as require_proxy_for_network_rulesfrom azure_firewall_policy;List threat intel whitelist IP addresses of firewall policies
Determine the areas in which firewall policies have whitelisted IP addresses, which is beneficial for understanding potential security vulnerabilities and ensuring your network is protected from known threats.
select name, id, i as whitelist_ip_addressfrom azure_firewall_policy, jsonb_array_elements_text(threat_intel_whitelist_ip_addresses) as i;select name, p.id, i.value as whitelist_ip_addressfrom azure_firewall_policy as p, json_each(threat_intel_whitelist_ip_addresses) as i;List threat intel whitelist FQDNs of firewall policies
Explore which firewall policies have specific domains whitelisted, providing a way to identify potential security vulnerabilities or unnecessary exceptions in your Azure firewall configuration.
select name, id, f as whitelist_fqdnfrom azure_firewall_policy, jsonb_array_elements_text(threat_intel_whitelist_fqdns) as f;select name, p.id, f.value as whitelist_fqdnfrom azure_firewall_policy as p, json_each(threat_intel_whitelist_fqdns) as f;Schema for azure_firewall_policy
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| base_policy | jsonb | The parent firewall policy from which rules are inherited. | |
| child_policies | jsonb | List of references to Child Firewall Policies. | |
| cloud_environment | text | The Azure Cloud Environment. | |
| dns_settings | jsonb | DNS Proxy Settings definition. | |
| etag | text | A unique read-only string that changes whenever the resource is updated. | |
| firewalls | jsonb | List of references to Azure Firewalls that this Firewall Policy is associated with. | |
| id | text | Contains ID to identify a firewall policy uniquely. | |
| identity | jsonb | The identity of the firewall policy. | |
| intrusion_detection_configuration | jsonb | Intrusion detection configuration properties. | |
| intrusion_detection_mode | text | Intrusion detection general state. Possible values include: 'FirewallPolicyIntrusionDetectionStateTypeOff', 'FirewallPolicyIntrusionDetectionStateTypeAlert', 'FirewallPolicyIntrusionDetectionStateTypeDeny'. | |
| name | text | = | The friendly name that identifies the firewall policy. |
| provisioning_state | text | The provisioning state of the firewall policy resource. Possible values include: 'Succeeded', 'Updating', 'Deleting', 'Failed'. | |
| region | text | The Azure region/location in which the resource is located. | |
| resource_group | text | = | The resource group which holds this resource. |
| rule_collection_groups | jsonb | List of references to FirewallPolicyRuleCollectionGroups. | |
| sku_tier | text | Tier of Firewall Policy. Possible values include: 'FirewallPolicySkuTierStandard', 'FirewallPolicySkuTierPremium'. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| subscription_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Subscription ID in which the resource is located. |
| tags | jsonb | A map of tags for the resource. | |
| threat_intel_mode | text | The operation mode for Threat Intelligence. Possible values include: 'AzureFirewallThreatIntelModeAlert', 'AzureFirewallThreatIntelModeDeny', 'AzureFirewallThreatIntelModeOff'. | |
| threat_intel_whitelist_fqdns | jsonb | List of FQDNs for the ThreatIntel Whitelist. | |
| threat_intel_whitelist_ip_addresses | jsonb | List of IP addresses for the ThreatIntel Whitelist. | |
| title | text | Title of the resource. | |
| transport_security_certificate_authority | jsonb | The CA used for intermediate CA generation. | |
| type | text | The resource type of the firewall policy. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azureYou can pass the configuration to the command with the --config argument:
steampipe_export_azure --config '<your_config>' azure_firewall_policy