Add the new switch parameter AllowActiveFTP to Firewall Command (#12430)

Author: tejasshah7

src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs

@@ -104,5 +104,13 @@ public void TestAzureFirewallVirtualHubMultiPublicIPCRUD()
         {
             TestRunner.RunTestScript("Test-AzureFirewallVirtualHubMultiPublicIPCRUD");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
+        public void TestAzureFirewallCRUDWithAllowActiveFTP()
+        {
+            TestRunner.RunTestScript("Test-AzureFirewallCRUDAllowActiveFTP");
+        }
     }
 }

src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1

@@ -1515,4 +1515,49 @@ function Test-AzureFirewallVirtualHubMultiPublicIPCRUD {
         # Cleanup
         Clean-ResourceGroup $rgname
     }
+}
+
+<#
+.SYNOPSIS
+Tests AzureFirewall AllowActiveFTP
+#>
+function Test-AzureFirewallCRUDAllowActiveFTP {
+    $rgname = Get-ResourceGroupName
+    $azureFirewallName = Get-ResourceName
+    $resourceTypeParent = "Microsoft.Network/AzureFirewalls"
+    $location = Get-ProviderLocation $resourceTypeParent "eastus"
+
+    $vnetName = Get-ResourceName
+    $subnetName = "AzureFirewallSubnet"
+    $publicIpName = Get-ResourceName
+
+    try {
+        # Create the resource group
+        $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location
+
+        # Create the Virtual Network
+        $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 10.0.0.0/24
+        $vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet
+
+        # Create public ip
+        $publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIpName -location $location -AllocationMethod Static -Sku Standard
+
+        # Create AzureFirewall
+        $azureFirewall = New-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname -Location $location -AllowActiveFTP
+
+        # Verify
+        $azFirewall = Get-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname
+        Assert-AreEqual true $azFirewall.AllowActiveFTP
+
+        # Reset the AllowActiveFTP flag
+        $azFirewall.AllowActiveFTP = $false
+        Set-AzFirewall -AzureFirewall $azFirewall
+        $azfw = Get-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname
+        
+        Assert-AreEqual false $azfw.AllowActiveFTP
+    }
+    finally {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
 }

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.AzureFirewallTests/TestAzureFirewallCRUDWithAllowActiveFTP.json

@@ -220,6 +220,12 @@ public class NewAzureFirewallCommand : AzureFirewallBaseCmdlet
                 HelpMessage = "The firewall policy attached to the firewall")]
         public string FirewallPolicyId { get; set; }
 
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "Allow Active FTP. By default it is false."
+        )]
+        public SwitchParameter AllowActiveFTP { get; set; }
+
         public override void Execute()
         {
             // Old params provided - Get the virtual network, get the public IP address
@@ -310,6 +316,7 @@ private PSAzureFirewall CreateAzureFirewall()
                     DNSEnableProxy = (this.EnableDnsProxy.IsPresent? "true" : null),
                     DNSRequireProxyForNetworkRules = (this.DnsProxyNotRequiredForNetworkRule.IsPresent ? "false" : null),
                     DNSServer = this.DnsServer,
+                    AllowActiveFTP = (this.AllowActiveFTP.IsPresent ? "true" : null),
                     Sku = sku
                 };
 

src/Network/Network/AzureFirewall/NewAzureFirewallCommand.cs

@@ -36,6 +36,7 @@
     - `New-AzVirtualApplianceSkuProperty`
 * Onboard Application Gateway to Private Link Common Cmdlets
 * Onboard StorageSync to Private Link Common Cmdlets
+* Add `AllowActiveFTP` parameter to `AzureFirewall`
 
 ## Version 3.1.0
 * Added support for AddressPrefixType parameter to `Remove-AzExpressRouteCircuitConnectionConfig`

src/Network/Network/ChangeLog.md

@@ -1232,6 +1232,7 @@ private static void Initialize()
                         { "ThreatIntel.Whitelist.FQDNs", src.ThreatIntelWhitelist?.FQDNs?.Aggregate((result, item) => result + "," + item) },
                         { "ThreatIntel.Whitelist.IpAddresses", src.ThreatIntelWhitelist?.IpAddresses?.Aggregate((result, item) => result + "," + item) },
                         { "Network.SNAT.PrivateRanges", src.PrivateRange?.Aggregate((result, item) => result + "," + item) },
+                        { "Network.FTP.AllowActiveFTP", src.AllowActiveFTP },
                         { "Network.DNS.EnableProxy", src.DNSEnableProxy },
                         { "Network.DNS.RequireProxyForNetworkRules", src.DNSRequireProxyForNetworkRules },
                         { "Network.DNS.Servers", src.DNSServer?.Aggregate((result, item) => result + "," + item) }
@@ -1279,6 +1280,7 @@ private static void Initialize()
                     {
                         dest.PrivateRange = null;
                     }
+                    dest.AllowActiveFTP = src.AdditionalProperties?.SingleOrDefault(kvp => kvp.Key.Equals("Network.FTP.AllowActiveFTP", StringComparison.OrdinalIgnoreCase)).Value;
                     dest.DNSEnableProxy = src.AdditionalProperties?.SingleOrDefault(kvp => kvp.Key.Equals("Network.DNS.EnableProxy", StringComparison.OrdinalIgnoreCase)).Value;
                     dest.DNSRequireProxyForNetworkRules = src.AdditionalProperties?.SingleOrDefault(kvp => kvp.Key.Equals("Network.DNS.RequireProxyForNetworkRules", StringComparison.OrdinalIgnoreCase)).Value;
                     try

src/Network/Network/Common/NetworkResourceManagerProfile.cs

@@ -78,6 +78,8 @@ public string[] PrivateRange {
 
         public List<string> Zones { get; set; }
 
+        public string AllowActiveFTP { get; set; }
+
         [JsonIgnore]
         public string IpConfigurationsText
         {

src/Network/Network/Models/AzureFirewall/PSAzureFirewall.cs

@@ -20,7 +20,7 @@ New-AzFirewall -Name <String> -ResourceGroupName <String> -Location <String>
  [-NatRuleCollection <PSAzureFirewallNatRuleCollection[]>]
  [-NetworkRuleCollection <PSAzureFirewallNetworkRuleCollection[]>] [-ThreatIntelMode <String>]
  [-ThreatIntelWhitelist <PSAzureFirewallThreatIntelWhitelist>] [-PrivateRange <String[]>] [-EnableDnsProxy]
- [-DnsProxyNotRequiredForNetworkRule] [-DnsServer <String[]>] [-Tag <Hashtable>] [-Force] [-AsJob]
+ [-DnsProxyNotRequiredForNetworkRule] [-DnsServer <String[]>] [-AllowActiveFTP] [-Tag <Hashtable>] [-Force] [-AsJob]
  [-Zone <String[]>] [-Sku <String>] [-VirtualHubId <String>] [-HubIPAddresses <PSAzureFirewallHubIpAddresses>]
  [-FirewallPolicyId <String>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
@@ -33,7 +33,7 @@ New-AzFirewall -Name <String> -ResourceGroupName <String> -Location <String> -Vi
  [-NatRuleCollection <PSAzureFirewallNatRuleCollection[]>]
  [-NetworkRuleCollection <PSAzureFirewallNetworkRuleCollection[]>] [-ThreatIntelMode <String>]
  [-ThreatIntelWhitelist <PSAzureFirewallThreatIntelWhitelist>] [-PrivateRange <String[]>] [-EnableDnsProxy]
- [-DnsProxyNotRequiredForNetworkRule] [-DnsServer <String[]>] [-Tag <Hashtable>] [-Force] [-AsJob]
+ [-DnsProxyNotRequiredForNetworkRule] [-DnsServer <String[]>] [-AllowActiveFTP] [-Tag <Hashtable>] [-Force] [-AsJob]
  [-Zone <String[]>] [-Sku <String>] [-VirtualHubId <String>] [-HubIPAddresses <PSAzureFirewallHubIpAddresses>]
  [-FirewallPolicyId <String>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
@@ -47,7 +47,7 @@ New-AzFirewall -Name <String> -ResourceGroupName <String> -Location <String> -Vi
  [-NatRuleCollection <PSAzureFirewallNatRuleCollection[]>]
  [-NetworkRuleCollection <PSAzureFirewallNetworkRuleCollection[]>] [-ThreatIntelMode <String>]
  [-ThreatIntelWhitelist <PSAzureFirewallThreatIntelWhitelist>] [-PrivateRange <String[]>] [-EnableDnsProxy]
- [-DnsProxyNotRequiredForNetworkRule] [-DnsServer <String[]>] [-Tag <Hashtable>] [-Force] [-AsJob]
+ [-DnsProxyNotRequiredForNetworkRule] [-DnsServer <String[]>] [-AllowActiveFTP] [-Tag <Hashtable>] [-Force] [-AsJob]
  [-Zone <String[]>] [-Sku <String>] [-VirtualHubId <String>] [-HubIPAddresses <PSAzureFirewallHubIpAddresses>]
  [-FirewallPolicyId <String>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
@@ -229,7 +229,7 @@ This example creates a Firewall attached to virtual network "vnet" in the same r
 DNS Proxy is enabled for this firewall and 2 DNS Servers are provided. Also Require DNS Proxy for Network rules is set
 so if there are any Network rules with FQDNs then DNS proxy will be used for them too.
 
-### 14:  Create a Firewall with multiple IPs. The Firewall can be associated with the Virtual Hub
+### 15:  Create a Firewall with multiple IPs. The Firewall can be associated with the Virtual Hub
 ```
 $rgName = "resourceGroupName"
 $vHub = Get-AzVirtualHub -Name "hub"
@@ -242,6 +242,16 @@ $fw=New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location westus -Sku
 This example creates a Firewall attached to virtual hub "hub" in the same resource group as the firewall.
 The Firewall will be assigned 2 public IPs that are created implicitly.
 
+### 16:  Create a Firewall with Allow Active FTP.
+```
+$rgName = "resourceGroupName"
+$vnet = Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "vnet"
+$pip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name "publicIpName"
+New-AzFirewall -Name "azFw" -ResourceGroupName $rgName -Location centralus -VirtualNetwork $vnet -PublicIpAddress $pip -AllowActiveFTP
+```
+
+This example creates a Firewall with allow active FTP flag.
+
 ## PARAMETERS
 
 ### -ApplicationRuleCollection
@@ -323,6 +333,22 @@ Accept wildcard characters: False
 Enable DNS Proxy. By default it is disabled.
 
 
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AllowActiveFTP
+Allows Active FTP on the Firewall. By default it is disabled.
+
+
 ```yaml
 Type: SwitchParameter
 Parameter Sets: (All)

src/Network/Network/help/New-AzFirewall.md

@@ -145,6 +145,16 @@ Set-AzFirewall -AzureFirewall $azFw
 
 This example updates the destination of an existing rule within a rule collection of an Azure Firewall. This allows you to automatically update your rules when IP addresses change dynamically.
 
+### 11:	Allow Active FTP on Azure Firewall
+```
+$azFw = Get-AzFirewall -Name "AzureFirewall" -ResourceGroupName "rg"
+$azFw.AllowActiveFTP = $true
+
+$azFw | Set-AzFirewall
+```
+
+In this example, Active FTP is allowed on the Firewall.
+
 ## PARAMETERS
 
 ### -AsJob