Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable intrusion detection (IDPS) by default #555

Merged
merged 4 commits into from
Dec 3, 2021
Merged

Enable intrusion detection (IDPS) by default #555

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
17c5028
added intrusion detection (IDPS) to firewall policy
brooke-hamilton Dec 1, 2021
34a2978
ARM template bicep build
brooke-hamilton Dec 3, 2021
5ba56f6
spelling
brooke-hamilton Dec 3, 2021
45a544a
Merge branch 'main' into brooke/idps
brooke-hamilton Dec 3, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions src/bicep/mlz.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ module hubNetwork './modules/hubNetwork.bicep' = {
firewallSkuTier: firewallSkuTier
firewallPolicyName: firewallPolicyName
firewallThreatIntelMode: firewallThreatIntelMode
firewallIntrusionDetectionMode: firewallIntrusionDetectionMode
firewallDiagnosticsLogs: firewallDiagnosticsLogs
firewallDiagnosticsMetrics: firewallDiagnosticsMetrics
firewallClientIpConfigurationName: firewallClientIpConfigurationName
Expand Down Expand Up @@ -349,7 +350,21 @@ param firewallName string = 'firewall'
param firewallManagementSubnetAddressPrefix string = '10.0.100.64/26'
param firewallClientSubnetAddressPrefix string = '10.0.100.0/26'
param firewallPolicyName string = 'firewall-policy'

@allowed([
'Alert'
'Deny'
'Off'
])
param firewallThreatIntelMode string = 'Alert'

@allowed([
'Alert'
'Deny'
'Off'
])
param firewallIntrusionDetectionMode string = 'Alert'

param firewallDiagnosticsLogs array = [
{
category: 'AzureFirewallApplicationRule'
Expand Down
61 changes: 55 additions & 6 deletions src/bicep/mlz.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1008.15138",
"templateHash": "15227849893402646033"
"templateHash": "10286368957514163169"
}
},
"parameters": {
Expand Down Expand Up @@ -132,7 +132,21 @@
},
"firewallThreatIntelMode": {
"type": "string",
"defaultValue": "Alert"
"defaultValue": "Alert",
"allowedValues": [
"Alert",
"Deny",
"Off"
]
},
"firewallIntrusionDetectionMode": {
"type": "string",
"defaultValue": "Alert",
"allowedValues": [
"Alert",
"Deny",
"Off"
]
},
"firewallDiagnosticsLogs": {
"type": "array",
Expand Down Expand Up @@ -1134,6 +1148,9 @@
"firewallThreatIntelMode": {
"value": "[parameters('firewallThreatIntelMode')]"
},
"firewallIntrusionDetectionMode": {
"value": "[parameters('firewallIntrusionDetectionMode')]"
},
"firewallDiagnosticsLogs": {
"value": "[parameters('firewallDiagnosticsLogs')]"
},
Expand Down Expand Up @@ -1202,7 +1219,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1008.15138",
"templateHash": "13599565970900573060"
"templateHash": "5914406162434941149"
}
},
"parameters": {
Expand Down Expand Up @@ -1285,7 +1302,20 @@
"type": "string"
},
"firewallThreatIntelMode": {
"type": "string"
"type": "string",
"allowedValues": [
"Alert",
"Deny",
"Off"
]
},
"firewallIntrusionDetectionMode": {
"type": "string",
"allowedValues": [
"Alert",
"Deny",
"Off"
]
},
"firewallDiagnosticsLogs": {
"type": "array"
Expand Down Expand Up @@ -2101,6 +2131,9 @@
"threatIntelMode": {
"value": "[parameters('firewallThreatIntelMode')]"
},
"intrusionDetectionMode": {
"value": "[parameters('firewallIntrusionDetectionMode')]"
},
"clientIpConfigurationName": {
"value": "[parameters('firewallClientIpConfigurationName')]"
},
Expand Down Expand Up @@ -2139,7 +2172,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1008.15138",
"templateHash": "16515753424142002553"
"templateHash": "6929052309016745644"
}
},
"parameters": {
Expand All @@ -2158,7 +2191,20 @@
"type": "string"
},
"threatIntelMode": {
"type": "string"
"type": "string",
"allowedValues": [
"Alert",
"Deny",
"Off"
]
},
"intrusionDetectionMode": {
"type": "string",
"allowedValues": [
"Alert",
"Deny",
"Off"
]
},
"clientIpConfigurationName": {
"type": "string"
Expand Down Expand Up @@ -2204,6 +2250,9 @@
"tags": "[parameters('tags')]",
"properties": {
"threatIntelMode": "[parameters('threatIntelMode')]",
"intrusionDetection": {
"mode": "[parameters('intrusionDetectionMode')]"
},
"sku": {
"tier": "[parameters('skuTier')]"
}
Expand Down
16 changes: 16 additions & 0 deletions src/bicep/modules/firewall.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,21 @@ param location string = resourceGroup().location
param tags object = {}

param skuTier string

@allowed([
'Alert'
'Deny'
'Off'
])
param threatIntelMode string

@allowed([
'Alert'
'Deny'
'Off'
])
param intrusionDetectionMode string

param clientIpConfigurationName string
param clientIpConfigurationSubnetResourceId string
param clientIpConfigurationPublicIPAddressResourceId string
Expand All @@ -27,6 +40,9 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' = {
tags: tags
properties: {
threatIntelMode: threatIntelMode
intrusionDetection:{
mode: intrusionDetectionMode
}
sku: {
tier: skuTier
}
Expand Down
15 changes: 14 additions & 1 deletion src/bicep/modules/hubNetwork.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,20 @@ param routeTableRouteNextHopType string = 'VirtualAppliance'
param firewallName string
param firewallSkuTier string
param firewallPolicyName string

@allowed([
'Alert'
'Deny'
'Off'
])
param firewallThreatIntelMode string

@allowed([
'Alert'
'Deny'
'Off'
])
param firewallIntrusionDetectionMode string
param firewallDiagnosticsLogs array
param firewallDiagnosticsMetrics array
param firewallClientIpConfigurationName string
Expand Down Expand Up @@ -201,7 +214,7 @@ module firewall './firewall.bicep' = {

firewallPolicyName: firewallPolicyName
threatIntelMode: firewallThreatIntelMode

intrusionDetectionMode: firewallIntrusionDetectionMode
clientIpConfigurationName: firewallClientIpConfigurationName
clientIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallClientSubnetName}'
clientIpConfigurationPublicIPAddressResourceId: firewallClientPublicIPAddress.outputs.id
Expand Down