Logo of Trend Micro

Enable Next Generation Firewall (NGFW) Monitoring

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: SecurityCenter-009

Ensure that Next Generation Firewall (NGFW) monitoring is enabled within your Microsoft Azure cloud account so that Azure Security Center can assess if the necessary network endpoints have a next generation firewall solution currently deployed. A Next Generation Firewall (NGFW) represents the third generation of firewall technology that combines a traditional firewall with other network device filtering functionalities such as application firewalls using in-line Deep Packet Inspection (DPI), Intrusion Prevention Systems (IPSs), TLS/SSL encrypted traffic inspectors, website filtering, QoS/bandwidth management, antivirus and 3rd-party identity management integration (i.e. LDAP, Active Directory, RADIUS). The goal of NGFWs is to include more layers of the OSI model, improving filtering of network traffic that is dependent on the packet contents.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

A Next Generation Firewall (NGFW) extends Azure cloud network protection beyond network security groups. Once "Next Generation Firewall Monitoring" feature is enabled, the Azure Security Center will search for deployments where a NGFW is recommended.

Audit

To determine if Next Generation Firewall (NGFW) monitoring is enabled in the Azure Security Center settings, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access the Policy Management portal.

04 On the Policy Management page, click on the Azure subscription that you want to examine, to access the selected subscription settings.

05 On the Security Policy page, in the Network category, check Monitor unprotected network endpoints in Azure Security Center configuration setting status. If the setting status is Disabled, the Next Generation Firewall (NGFW) monitoring is not enabled for the Microsoft Azure virtual machines (VMs) launched within the selected subscription.

06 Repeat step no. 4 and 5 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to describe the "Next Generation Firewall monitoring" feature status for the current Azure account subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01' | jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters.nextGenerationFirewallMonitoringEffect.value'

02 The command output should return the requested feature configuration status: 

"Disabled"

If the command output returns "Disabled", as shown in the example above, the Next Generation Firewall (NGFW) monitoring feature is not enabled for the Microsoft Azure virtual machines available in the current Azure subscription.

03 Repeat step no. 1 and 2 for each Microsoft Azure subscription available within your account.

Remediation / Resolution

To enable Next Generation Firewall (NGFW) monitoring for your Microsoft Azure virtual machines (VMs), perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access the Policy Management portal.

04 On the Policy Management page, click on the name of the Azure subscription that you want to access.

05 On the Security Policy page, click on the ASC Default (subscription: <azure-subscription-id>) link to edit the policy assignment.

06 On the selected policy assignment page, in the PARAMETERS section, select AuditIfNotExists from Access through internet facing endpoint should be restricted dropdown list to enable Next Generation Firewall (NGFW) monitoring for all the Microsoft Azure virtual machines (VMs) available in the current Azure subscription.

07 Click Save to apply the changes. If successful, the following message should be displayed: "Updating policy assignment succeeded". Once the configuration changes are saved, the "Next Generation Firewall monitoring" feature becomes active for the selected Azure subscription.

08 If required, repeat steps no. 4 – 7 for other Microsoft Azure cloud subscription available.

Using Azure CLI and PowerShell

01 Define the necessary parameters for the account get-access-token command, where the nextGenerationFirewallMonitoringEffect configuration parameter is enabled. Save the following content to a JSON file named "enable-next-generation-firewall.json" and replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure account details: 

{
   "properties":{
      "displayName":"ASC Default (subscription: <azure-subscription-id>)",
      "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>",
      "scope":"/subscriptions/<azure-subscription-id>",
      "parameters":{
         "nextGenerationFirewallMonitoringEffect":{
            "value":"AuditIfNotExists"
         }
      }
   },
   "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration parameters defined within the "enable-next-generation-firewall.json" file, to enable the Next Generation Firewall (NGFW) monitoring for the current Microsoft Azure cloud subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01 -d@"enable-next-generation-firewall.json"'

03 If successful, the command output should return the updated Azure Security Center policy: 

{
   "sku":{
      "name":"A0",
      "tier":"Free"
   },
   "properties":{
      "displayName":"ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)",
      "scope":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd",

      ...

      "description":"This is the default set of policies monitored by Azure Security Center. It was automatically assigned as part of on-boarding to Security Center. The default assignment contains only audit policies. For more information please visit https://aka.ms/ascpolicies",
   },
   "id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

04 If required, repeat steps no. 1 – 3 for other subscriptions available in your Microsoft Azure cloud account.

References

Publication date Sep 24, 2019

Related SecurityCenter rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Next Generation Firewall (NGFW) Monitoring

Risk level: Medium