Skip to content

Commit

Permalink
Dtzemahweyl/Add new parameter -PrivateRange to New-AzFirewallPolicyIn…
Browse files Browse the repository at this point in the history 
…trusionDetection (#17771)

* add  privareRanges

* Add tests and help file

* change help file

* change parameter of cmd

* keep the skip

* add markdown

* add recorded test

* update ChangeLog.md

Co-authored-by: Dikla Tzemah Weyl <[email protected]>
  • Loading branch information
@diklatze
diklatze and Dikla Tzemah Weyl authored May 12, 2022
1 parent 2c6bbff commit 5a42518
Show file tree
Hide file tree
Showing 7 changed files with 464 additions and 323 deletions.
5 changes: 4 additions & 1 deletion src/Network/Network.Test/ScenarioTests/AzureFirewallPolicyTests.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1436,7 +1436,7 @@ function Test-AzureFirewallPolicyPremiumFeatures {
# Intrusion Detection Settings
$bypass = New-AzFirewallPolicyIntrusionDetectionBypassTraffic -Name $bypassTestName -Protocol "TCP" -DestinationPort "80" -SourceAddress "10.0.0.0" -DestinationAddress "10.0.0.0"
$sigOverride = New-AzFirewallPolicyIntrusionDetectionSignatureOverride -Id "123456798" -Mode "Deny"
$intrusionDetection = New-AzFirewallPolicyIntrusionDetection -Mode "Alert" -SignatureOverride $sigOverride -BypassTraffic $bypass
$intrusionDetection = New-AzFirewallPolicyIntrusionDetection -Mode "Alert" -SignatureOverride $sigOverride -BypassTraffic $bypass -PrivateRange @("10.0.0.0/8", "172.16.0.0/12")

# Create AzureFirewallPolicy (with Intrusion Detection, TransportSecurity and Identity parameters)
$azureFirewallPolicy = New-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname -Location $location -SkuTier $tier -IntrusionDetection $intrusionDetection -UserAssignedIdentityId $identity.Id
Expand All @@ -1455,8 +1455,11 @@ function Test-AzureFirewallPolicyPremiumFeatures {
Assert-AreEqual "Alert" $getAzureFirewallPolicy.IntrusionDetection.Mode
Assert-NotNull $getAzureFirewallPolicy.IntrusionDetection.Configuration.SignatureOverrides
Assert-NotNull $getAzureFirewallPolicy.IntrusionDetection.Configuration.BypassTrafficSettings
Write-Host $getAzureFirewallPolicy.IntrusionDetection.Configuration
Assert-NotNull $getAzureFirewallPolicy.IntrusionDetection.Configuration.PrivateRanges
Assert-AreEqual "123456798" $getAzureFirewallPolicy.IntrusionDetection.Configuration.SignatureOverrides[0].Id
Assert-AreEqual "Deny" $getAzureFirewallPolicy.IntrusionDetection.Configuration.SignatureOverrides[0].Mode
Assert-AreEqual "10.0.0.0/8" $getAzureFirewallPolicy.IntrusionDetection.Configuration.PrivateRanges[0]
Assert-AreEqual $bypassTestName $getAzureFirewallPolicy.IntrusionDetection.Configuration.BypassTrafficSettings[0].Name
Assert-AreEqual "TCP" $getAzureFirewallPolicy.IntrusionDetection.Configuration.BypassTrafficSettings[0].Protocol
Assert-AreEqual "80" $getAzureFirewallPolicy.IntrusionDetection.Configuration.BypassTrafficSettings[0].DestinationPorts[0]
Expand Down
726 changes: 414 additions & 312 deletions ...k.Test.ScenarioTests.AzureFirewallPolicyTests/TestAzureFirewallPolicyPremiumFeatures.json
View file

Large diffs are not rendered by default.

11 changes: 9 additions & 2 deletions ...AzureFirewallPolicy/IntrusionDetection/NewAzureFirewallPolicyIntrusionDetectionCommand.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,12 @@ public class NewAzureFirewallPolicyIntrusionDetectionCommand : NetworkBaseCmdlet
)]
public PSAzureFirewallPolicyIntrusionDetectionBypassTrafficSetting[] BypassTraffic { get; set; }

[Parameter(
Mandatory = false,
HelpMessage = "List of IDPS Private IP ranges."
)]
public string[] PrivateRange { get; set; }

public override void Execute()
{
base.Execute();
Expand All @@ -64,12 +70,13 @@ public override void Execute()
Mode = this.Mode
};

if (this.SignatureOverride?.Count() > 0 || this.BypassTraffic?.Count() > 0)
if (this.SignatureOverride?.Count() > 0 || this.BypassTraffic?.Count() > 0 || this.PrivateRange?.Count() > 0)
{
intrusionDetection.Configuration = new PSAzureFirewallPolicyIntrusionDetectionConfiguration
{
SignatureOverrides = this.SignatureOverride?.ToList(),
BypassTrafficSettings = this.BypassTraffic?.ToList()
BypassTrafficSettings = this.BypassTraffic?.ToList(),
PrivateRanges = this.PrivateRange?.ToList()
};
}

Expand Down
2 changes: 2 additions & 0 deletions src/Network/Network/ChangeLog.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@

## Version 4.16.1
* Fixed `ArgumentNullException` in `Add-AzureRmRouteConfig` when `RouteTable.Routes` is null.
* Updated `New-AzFirewallPolicyIntrusionDetection` cmdlet:
- Added parameter -PrivateRange

## Version 4.16.0
* Added support for retrieving the state of packet capture even when the provisioning state of the packet capture was failure
Expand Down
4 changes: 4 additions & 0 deletions ...etwork/Models/AzureFirewallPolicy/PSAzureFirewallPolicyIntrusionDetectionConfiguration.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
// limitations under the License.
//

using System;
using System.Collections.Generic;

namespace Microsoft.Azure.Commands.Network.Models
Expand All @@ -22,5 +23,8 @@ public class PSAzureFirewallPolicyIntrusionDetectionConfiguration
public List<PSAzureFirewallPolicyIntrusionDetectionSignatureOverride> SignatureOverrides { get; set; }

public List<PSAzureFirewallPolicyIntrusionDetectionBypassTrafficSetting> BypassTrafficSettings { get; set; }

public List<string> PrivateRanges { get; set; }

}
}
2 changes: 1 addition & 1 deletion src/Network/Network/Network.csproj
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<Project Sdk="Microsoft.NET.Sdk">
<Project Sdk="Microsoft.NET.Sdk" ToolsVersion="Current">

<PropertyGroup>
<PsModuleName>Network</PsModuleName>
Expand Down
37 changes: 30 additions & 7 deletions src/Network/Network/help/New-AzFirewallPolicyIntrusionDetection.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Creates a new Azure Firewall Policy Intrusion Detection to associate with Firewa
```
New-AzFirewallPolicyIntrusionDetection -Mode <String>
[-SignatureOverride <PSAzureFirewallPolicyIntrusionDetectionSignatureOverride[]>]
[-BypassTraffic <PSAzureFirewallPolicyIntrusionDetectionBypassTrafficSetting[]>]
[-BypassTraffic <PSAzureFirewallPolicyIntrusionDetectionBypassTrafficSetting[]>] [-PrivateRange <String[]>]
[-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
```

Expand Down Expand Up @@ -48,13 +48,21 @@ New-AzFirewallPolicy -Name fp1 -Location "westus2" -ResourceGroupName TestRg -Sk

This example creates intrusion detection with bypass traffic setting

### Example 4: Create firewall policy with intrusion detection configured with private ranges setting
```powershell
$intrusionDetection = New-AzFirewallPolicyIntrusionDetection -Mode "Deny" -PrivateRange @("167.220.204.0/24", "167.221.205.101/32")
New-AzFirewallPolicy -Name fp1 -Location "westus2" -ResourceGroup TestRg -SkuTier "Premium" -IntrusionDetection $intrusionDetection
```

This example creates intrusion detection with bypass traffic setting

## PARAMETERS

### -BypassTraffic
List of rules for traffic to bypass.

```yaml
Type: PSAzureFirewallPolicyIntrusionDetectionBypassTrafficSetting[]
Type: Microsoft.Azure.Commands.Network.Models.PSAzureFirewallPolicyIntrusionDetectionBypassTrafficSetting[]
Parameter Sets: (All)
Aliases:

Expand All @@ -69,7 +77,7 @@ Accept wildcard characters: False
The credentials, account, tenant, and subscription used for communication with Azure.
```yaml
Type: IAzureContextContainer
Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
Parameter Sets: (All)
Aliases: AzContext, AzureRmContext, AzureCredential

Expand All @@ -84,7 +92,7 @@ Accept wildcard characters: False
Intrusion Detection general state.
```yaml
Type: String
Type: System.String
Parameter Sets: (All)
Aliases:
Accepted values: Off, Alert, Deny
Expand All @@ -96,11 +104,26 @@ Accept pipeline input: False
Accept wildcard characters: False
```
### -PrivateRange
List of IDPS Private IP ranges.
```yaml
Type: System.String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -SignatureOverride
List of specific signatures states.
```yaml
Type: PSAzureFirewallPolicyIntrusionDetectionSignatureOverride[]
Type: Microsoft.Azure.Commands.Network.Models.PSAzureFirewallPolicyIntrusionDetectionSignatureOverride[]
Parameter Sets: (All)
Aliases:

Expand All @@ -115,7 +138,7 @@ Accept wildcard characters: False
Prompts you for confirmation before running the cmdlet.
```yaml
Type: SwitchParameter
Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases: cf

Expand All @@ -131,7 +154,7 @@ Shows what would happen if the cmdlet runs.
The cmdlet is not run.
```yaml
Type: SwitchParameter
Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases: wi

Expand Down

0 comments on commit 5a42518

Please sign in to comment.