Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Next Generation Firewall(NGFW) Monitoring

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecurityCenter-009

Ensure that Next Generation Firewall (NGFW) monitoring is enabled within your Microsoft Azure cloud account so that Microsoft Defender for Cloud can assess if the necessary network endpoints have a NGFW solution deployed. A Next Generation Firewall (NGFW) represents the third generation of firewall technology that combines a traditional firewall with other network device filtering functionalities such as application firewalls using in-line Deep Packet Inspection (DPI), Intrusion Prevention Systems (IPSs), TLS/SSL encrypted traffic inspectors, website filtering, QoS/bandwidth management, antivirus and 3rd-party identity management integration (i.e. LDAP, Active Directory, RADIUS). The goal of NGFWs is to include more layers of the OSI model, improving filtering of network traffic that is dependent on the packet contents.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

A Next Generation Firewall (NGFW) extends Azure cloud network protection beyond Network Security Groups (NSGs). Once the monitoring feature is enabled, the Microsoft Defender for Cloud will search for deployments where a NGFW is recommended.


Audit

To determine if the Next Generation Firewall (NGFW) monitoring is enabled within the Microsoft Defender for Cloud security policy, perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to examine.

05 In the navigation panel, under Policy settings, choose Security policy.

06 In the Default initiative section, click on the name of the default initiative enabled for the selected subscription (i.e. ASC Default (subscription: <subscription-id>)).

07 Choose the Parameters tab, uncheck Only show parameters that need input or review, and search for the following parameter: All network ports should be restricted on network security groups associated to your virtual machine. If the specified parameter is set to Disabled, the Next Generation Firewall (NGFW) monitoring is not enabled in the selected Azure subscription.

08 Repeat steps no. 4 – 7 for each Microsoft Azure subscription created within your Azure account.

Using Azure CLI and PowerShell

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to determine if the Next Generation Firewall (NGFW) monitoring is enabled within the current Azure subscription by checking the nextGenerationFirewallMonitoringEffect configuration parameter value:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01' | jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters.nextGenerationFirewallMonitoringEffect.value'

02 The command output should return the requested parameter value:

"Disabled"

If the account get-access-token command output returns "Disabled", as shown in the output example above, the Next Generation Firewall (NGFW) monitoring is not enabled within the current Azure subscription.

03 Repeat steps no. 1 and 2 for each Microsoft Azure subscription available in your Azure cloud account.

Remediation / Resolution

To turn on the Next Generation Firewall (NGFW) monitoring in order to detect overly permissive inbound Network Security Group (NSG) rules, perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to access.

05 In the navigation panel, under Policy settings, choose Security policy.

06 In the Default initiative section, click on the name of the default initiative enabled for the selected subscription (i.e. ASC Default (subscription: <subscription-id>)).

07 Choose the Parameters tab and uncheck the Only show parameters that need input or review checkbox to list all the initiative parameters.

08 Select AuditIfNotExists from the All network ports should be restricted on network security groups associated to your virtual machine parameter dropdown list to enable the Next Generation Firewall (NGFW) monitoring feature for the selected Azure subscription.

09 Select Review + save to review the configuration changes, then choose Save to apply the new changes. If the operation is successful, the following confirmation message should be displayed: "Updating policy assignment succeeded".

10 Repeat steps no. 4 – 9 for each Microsoft Azure subscription available within your Azure account.

Using Azure CLI and PowerShell

01 Define the configuration parameters for the account get-access-token command, where the nextGenerationFirewallMonitoringEffect parameter is enabled to turn on the monitoring feature. Save the configuration document to a JSON file named enable-next-generation-firewall-monitoring.json and replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure account subscription details:

{
  "properties":{
     "displayName":"ASC Default (subscription: <azure-subscription-id>)",
     "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>",
     "scope":"/subscriptions/<azure-subscription-id>",
     "parameters":{
        "nextGenerationFirewallMonitoringEffect":{
           "value":"AuditIfNotExists"
        }
     }
  },
  "id":"/subscriptions//providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
  "type":"Microsoft.Authorization/policyAssignments",
  "name":"SecurityCenterBuiltIn",
  "location":"eastus"
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-next-generation-firewall-monitoring.json file), to enable the Next Generation Firewall (NGFW) monitoring feature for the current Microsoft Azure subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01 -d@"enable-next-generation-firewall-monitoring.json"'

03 The command output should return information about the modified configuration parameter:

{
  "sku": {
    "name": "A0",
    "tier": "Free"
  },
  "properties": {
    "displayName": "ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)",
    "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1234abcd-1234-1234-1234-abcd1234abcd",
    "scope": "/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd",
    "parameters": {
      "nextGenerationFirewallMonitoringEffect": {
        "value": "AuditIfNotExists"
      }
    },
    "metadata": {
      "createdBy": "abcdabcd-1234-1234-1234-abcdabcdabcd",
      "createdOn": "2019-05-17T15:38:40.3473931Z",
      "updatedBy": "1234abcd-1234-1234-1234-abcd1234abcd",
      "updatedOn": "2022-02-01T21:22:40.7422203Z"
    }
  },
  "id": "/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
  "type": "Microsoft.Authorization/policyAssignments",
  "name": "SecurityCenterBuiltIn",
  "location": "eastus"
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your Azure cloud account.

References

Publication date Sep 24, 2019