Skip to content

Add Web Categories as a new target in Firewall Policy Application Rule #13695

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Dec 9, 2020
Merged

Add Web Categories as a new target in Firewall Policy Application Rule #13695

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c82ba36
Added WebCategories
kenchenMicrosoft Dec 8, 2020
b943b3c
Update ChangeLog.md
wyunchi-ms Dec 9, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions src/Network/Network.Test/ScenarioTests/AzureFirewallPolicyTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,5 +73,13 @@ public void TestAzureFirewallPolicyCRUDWithNatRuleTranslatedFQDN()
{
TestRunner.RunTestScript("Test-AzureFirewallPolicyCRUDWithNatRuleTranslatedFQDN");
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
[Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
public void TestAzureFirewallPolicyWithWebCategories()
{
TestRunner.RunTestScript("Test-AzureFirewallPolicyWithWebCategories");
}
}
}
115 changes: 115 additions & 0 deletions src/Network/Network.Test/ScenarioTests/AzureFirewallPolicyTests.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -859,6 +859,121 @@ function Test-AzureFirewallPolicyCRUDWithNatRuleTranslatedFQDN {
Assert-AreEqual $natRule1TranslatedFqdn $natRule.TranslatedFqdn
Assert-AreEqual $natRule1TranslatedPort $natRule.TranslatedPort

$testPipelineRg = Get-AzFirewallPolicyRuleCollectionGroup -Name $ruleGroupName -AzureFirewallPolicyName $getAzureFirewallPolicy.Name -ResourceGroupName $rgname
$testPipelineRg|Set-AzFirewallPolicyRuleCollectionGroup -Priority $pipelineRcPriority
$testPipelineRg = Get-AzFirewallPolicyRuleCollectionGroup -Name $ruleGroupName -AzureFirewallPolicyName $getAzureFirewallPolicy.Name -ResourceGroupName $rgname
Assert-AreEqual $pipelineRcPriority $testPipelineRg.properties.Priority

$azureFirewallPolicyAsJob = New-AzFirewallPolicy -Name $azureFirewallPolicyAsJobName -ResourceGroupName $rgname -Location $location -AsJob
$result = $azureFirewallPolicyAsJob | Wait-Job
Assert-AreEqual "Completed" $result.State
}
finally {
# Cleanup
Clean-ResourceGroup $rgname
}
}

<#
.SYNOPSIS
Tests AzureFirewallPolicyWithWebCategories.
#>
function Test-AzureFirewallPolicyWithWebCategories {
# Setup
$rgname = Get-ResourceGroupName
$azureFirewallPolicyName = Get-ResourceName
$azureFirewallPolicyAsJobName = Get-ResourceName
$resourceTypeParent = "Microsoft.Network/FirewallPolicies"
$location = "westus2"

$ruleGroupName = Get-ResourceName

# AzureFirewallPolicyApplicationRuleCollection
$appRcName = "appRc"
$appRcPriority = 400
$appRcActionType = "Allow"

$pipelineRcPriority = 154

# AzureFirewallPolicyApplicationRule 1
$appRule1Name = "appRule"
$appRule1Desc = "desc1"
$appRule1WC1 = "DatingAndPersonals"
$appRule1WC2 = "Tasteless"
$appRule1Protocol1 = "http:80"
$appRule1Port1 = 80
$appRule1ProtocolType1 = "http"
$appRule1Protocol2 = "https:443"
$appRule1Port2 = 443
$appRule1ProtocolType2 = "https"
$appRule1SourceAddress1 = "192.168.0.0/16"

try {
# Create the resource group
$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" }

# Create AzureFirewallPolicy (with no rules, ThreatIntel is in Alert mode by default)
$azureFirewallPolicy = New-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname -Location $location

# Get AzureFirewallPolicy
$getAzureFirewallPolicy = Get-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname

#verification
Assert-AreEqual $rgName $getAzureFirewallPolicy.ResourceGroupName
Assert-AreEqual $azureFirewallPolicyName $getAzureFirewallPolicy.Name
Assert-NotNull $getAzureFirewallPolicy.Location
Assert-AreEqual (Normalize-Location $location) $getAzureFirewallPolicy.Location


#Create Application Rules
$appRule = New-AzFirewallPolicyApplicationRule -Name $appRule1Name -Description $appRule1Desc -Protocol $appRule1Protocol1, $appRule1Protocol2 -WebCategory $appRule1WC1, $appRule1WC2 -SourceAddress $appRule1SourceAddress1

# Create Filter Rule with 2 application rules
$appRc = New-AzFirewallPolicyFilterRuleCollection -Name $appRcName -Priority $appRcPriority -Rule $appRule -ActionType $appRcActionType

New-AzFirewallPolicyRuleCollectionGroup -Name $ruleGroupName -Priority 100 -RuleCollection $appRc -FirewallPolicyObject $azureFirewallPolicy

# Get AzureFirewallPolicy
$getAzureFirewallPolicy = Get-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgName

# verification
Assert-AreEqual $rgName $getAzureFirewallPolicy.ResourceGroupName
Assert-AreEqual $azureFirewallPolicyName $getAzureFirewallPolicy.Name
Assert-NotNull $getAzureFirewallPolicy.Location
Assert-AreEqual $location $getAzureFirewallPolicy.Location

# Check rule groups count
Assert-AreEqual 1 @($getAzureFirewallPolicy.RuleCollectionGroups).Count

$getRg = Get-AzFirewallPolicyRuleCollectionGroup -Name $ruleGroupName -AzureFirewallPolicy $getAzureFirewallPolicy

Assert-AreEqual 1 @($getRg.properties.ruleCollection).Count

$filterRuleCollection1 = $getRg.Properties.GetRuleCollectionByName($appRcName)

# Verify Filter Rule Collection1
Assert-AreEqual $appRcName $filterRuleCollection1.Name
Assert-AreEqual $appRcPriority $filterRuleCollection1.Priority
Assert-AreEqual $appRcActionType $filterRuleCollection1.Action.Type
Assert-AreEqual 1 $filterRuleCollection1.Rules.Count

$appRule = $filterRuleCollection1.GetRuleByName($appRule1Name)
# Verify application rule 1
Assert-AreEqual $appRule1Name $appRule.Name

Assert-AreEqual 1 $appRule.SourceAddresses.Count
Assert-AreEqual $appRule1SourceAddress1 $appRule.SourceAddresses[0]

Assert-AreEqual 2 $appRule.Protocols.Count
Assert-AreEqual $appRule1ProtocolType1 $appRule.Protocols[0].ProtocolType
Assert-AreEqual $appRule1ProtocolType2 $appRule.Protocols[1].ProtocolType
Assert-AreEqual $appRule1Port1 $appRule.Protocols[0].Port
Assert-AreEqual $appRule1Port2 $appRule.Protocols[1].Port

Assert-AreEqual 2 $appRule.WebCategories.Count
Assert-AreEqual $appRule1WC1 $appRule.WebCategories[0]
Assert-AreEqual $appRule1WC2 $appRule.WebCategories[1]


$testPipelineRg = Get-AzFirewallPolicyRuleCollectionGroup -Name $ruleGroupName -AzureFirewallPolicyName $getAzureFirewallPolicy.Name -ResourceGroupName $rgname
$testPipelineRg|Set-AzFirewallPolicyRuleCollectionGroup -Priority $pipelineRcPriority
Expand Down
Loading