az network firewall
Note
This reference is part of the azure-firewall extension for the Azure CLI (version 2.55.0 or higher). The extension will automatically install the first time you run an az network firewall command. Learn more about extensions.
Manage and configure Azure Firewalls.
Commands
Name | Description | Type | Status |
---|---|---|---|
az network firewall application-rule |
Manage and configure Azure Firewall application rules. |
Extension | GA |
az network firewall application-rule collection |
Manage and configure Azure Firewall application rule collections. |
Extension | GA |
az network firewall application-rule collection delete |
Delete an Azure Firewall application rule collection. |
Extension | GA |
az network firewall application-rule collection list |
List Azure Firewall application rule collections. |
Extension | GA |
az network firewall application-rule collection show |
Get the details of an Azure Firewall application rule collection. |
Extension | GA |
az network firewall application-rule create |
Create an Azure Firewall application rule. |
Extension | GA |
az network firewall application-rule delete |
Delete an Azure Firewall application rule. |
Extension | GA |
az network firewall application-rule list |
List Azure Firewall application rules. |
Extension | GA |
az network firewall application-rule show |
Get the details of an Azure Firewall application rule. |
Extension | GA |
az network firewall create |
Create an Azure Firewall. |
Extension | GA |
az network firewall delete |
Delete an Azure Firewall. |
Extension | GA |
az network firewall ip-config |
Manage and configure Azure Firewall IP configurations. |
Extension | GA |
az network firewall ip-config create |
Create an Azure Firewall IP configuration. |
Extension | GA |
az network firewall ip-config delete |
Delete an Azure Firewall IP configuration. |
Extension | GA |
az network firewall ip-config list |
List Azure Firewall IP configurations. |
Extension | GA |
az network firewall ip-config show |
Get the details of an Azure Firewall IP configuration. |
Extension | GA |
az network firewall learned-ip-prefix |
Retrieves a list of all IP prefixes that azure firewall has learned to not SNAT. |
Extension | Preview |
az network firewall list |
List Azure Firewalls. |
Extension | GA |
az network firewall list-fqdn-tags |
Gets all the Azure Firewall FQDN Tags in a subscription. |
Extension | GA |
az network firewall management-ip-config |
Manage and configure Azure Firewall Management IP configurations. |
Extension | Preview |
az network firewall management-ip-config show |
Get the details of an Azure Firewall Management IP configuration. |
Extension | Preview |
az network firewall management-ip-config update |
Update an Azure Firewall Management IP configuration. |
Extension | Preview |
az network firewall nat-rule |
Manage and configure Azure Firewall NAT rules. |
Extension | GA |
az network firewall nat-rule collection |
Manage and configure Azure Firewall NAT rules. |
Extension | GA |
az network firewall nat-rule collection delete |
Delete an Azure Firewall NAT rule collection. |
Extension | GA |
az network firewall nat-rule collection list |
List Azure Firewall NAT rule collections. |
Extension | GA |
az network firewall nat-rule collection show |
Get the details of an Azure Firewall NAT rule collection. |
Extension | GA |
az network firewall nat-rule create |
Create an Azure Firewall NAT rule. |
Extension | GA |
az network firewall nat-rule delete |
Delete an Azure Firewall NAT rule. |
Extension | GA |
az network firewall nat-rule list |
List Azure Firewall NAT rules. |
Extension | GA |
az network firewall nat-rule show |
Get the details of an Azure Firewall NAT rule. |
Extension | GA |
az network firewall network-rule |
Manage and configure Azure Firewall network rules. |
Extension | GA |
az network firewall network-rule collection |
Manage and configure Azure Firewall network rule collections. |
Extension | GA |
az network firewall network-rule collection delete |
Delete an Azure Firewall network rule collection. |
Extension | GA |
az network firewall network-rule collection list |
List Azure Firewall network rule collections. |
Extension | GA |
az network firewall network-rule collection show |
Get the details of an Azure Firewall network rule collection. |
Extension | GA |
az network firewall network-rule create |
Create an Azure Firewall network rule. |
Extension | GA |
az network firewall network-rule delete |
Delete an Azure Firewall network rule. If you want to delete the last rule in a collection, please delete the collection instead. |
Extension | GA |
az network firewall network-rule list |
List Azure Firewall network rules. |
Extension | GA |
az network firewall network-rule show |
Get the details of an Azure Firewall network rule. |
Extension | GA |
az network firewall policy |
Manage and configure Azure firewall policy. |
Extension | GA |
az network firewall policy create |
Create an Azure firewall policy. |
Extension | GA |
az network firewall policy delete |
Delete an Azure firewall policy. |
Extension | GA |
az network firewall policy intrusion-detection |
Manage intrusion signature rules and bypass rules. |
Extension | GA |
az network firewall policy intrusion-detection add |
Update an Azure firewall policy. |
Extension | GA |
az network firewall policy intrusion-detection list |
List all intrusion detection configuration. |
Extension | Preview |
az network firewall policy intrusion-detection remove |
Update an Azure firewall policy. |
Extension | GA |
az network firewall policy list |
List all Azure firewall policies. |
Extension | GA |
az network firewall policy rule-collection-group |
Manage and configure Azure firewall policy rule collection group. |
Extension | GA |
az network firewall policy rule-collection-group collection |
Manage and configure Azure firewall policy rule collections in the rule collection group. |
Extension | GA |
az network firewall policy rule-collection-group collection add-filter-collection |
Add a filter collection into an Azure firewall policy rule collection group. |
Extension | Preview |
az network firewall policy rule-collection-group collection add-nat-collection |
Add a NAT collection into an Azure firewall policy rule collection group. |
Extension | Preview |
az network firewall policy rule-collection-group collection list |
List all rule collections of an Azure firewall policy rule collection group. |
Extension | Preview |
az network firewall policy rule-collection-group collection remove |
Remove a rule collection from an Azure firewall policy rule collection group. |
Extension | Preview |
az network firewall policy rule-collection-group collection rule |
Manage and configure the rule of a filter collection in the rule collection group of Azure firewall policy. |
Extension | GA |
az network firewall policy rule-collection-group collection rule add |
Add a rule into an Azure firewall policy rule collection. |
Extension | Preview |
az network firewall policy rule-collection-group collection rule remove |
Remove a rule from an Azure firewall policy rule collection. |
Extension | Preview |
az network firewall policy rule-collection-group collection rule update |
Update a rule of an Azure firewall policy rule collection. |
Extension | Preview |
az network firewall policy rule-collection-group create |
Create an Azure firewall policy rule collection group. |
Extension | Preview |
az network firewall policy rule-collection-group delete |
Delete an Azure Firewall policy rule collection group. |
Extension | Preview |
az network firewall policy rule-collection-group list |
List all Azure firewall policy rule collection groups. |
Extension | Preview |
az network firewall policy rule-collection-group show |
Show an Azure firewall policy rule collection group. |
Extension | Preview |
az network firewall policy rule-collection-group update |
Update an Azure firewall policy rule collection group. |
Extension | Preview |
az network firewall policy rule-collection-group wait |
Place the CLI in a waiting state until a condition is met. |
Extension | GA |
az network firewall policy show |
Show an Azure firewall policy. |
Extension | GA |
az network firewall policy update |
Update an Azure firewall policy. |
Extension | GA |
az network firewall policy wait |
Place the CLI in a waiting state until a condition is met. |
Extension | GA |
az network firewall show |
Get the details of an Azure Firewall. |
Extension | GA |
az network firewall threat-intel-allowlist |
Manage and configure Azure Firewall Threat Intelligence Allow List. |
Extension | GA |
az network firewall threat-intel-allowlist create |
Create an Azure Firewall Threat Intelligence Allow List. |
Extension | Preview |
az network firewall threat-intel-allowlist delete |
Delete an Azure Firewall Threat Intelligence Allow List. |
Extension | Preview |
az network firewall threat-intel-allowlist show |
Get the details of an Azure Firewall Threat Intelligence Allow List. |
Extension | Preview |
az network firewall threat-intel-allowlist update |
Update Azure Firewall Threat Intelligence Allow List. |
Extension | Preview |
az network firewall update |
Update an Azure Firewall. |
Extension | GA |
az network firewall wait |
Place the CLI in a waiting state until a condition is met. |
Extension | GA |
az network firewall create
Create an Azure Firewall.
az network firewall create --name
--resource-group
[--allow-active-ftp {0, 1, f, false, n, no, t, true, y, yes}]
[--conf-name]
[--count]
[--dns-servers]
[--enable-dns-proxy {0, 1, f, false, n, no, t, true, y, yes}]
[--enable-explicit-proxy {0, 1, f, false, n, no, t, true, y, yes}]
[--enable-fat-flow-logging {0, 1, f, false, n, no, t, true, y, yes}]
[--enable-pac-file {0, 1, f, false, n, no, t, true, y, yes}]
[--enable-udp-log-optimization {0, 1, f, false, n, no, t, true, y, yes}]
[--firewall-policy]
[--http-port]
[--https-port {0, 1, f, false, n, no, t, true, y, yes}]
[--location]
[--m-conf-name]
[--m-public-ip]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--pac-file]
[--pac-file-port]
[--private-ranges]
[--public-ip]
[--route-server-id]
[--sku {AZFW_Hub, AZFW_VNet}]
[--tags]
[--threat-intel-mode {Alert, Deny, Off}]
[--tier {Basic, Premium, Standard}]
[--vhub]
[--vnet-name]
[--zones]
Examples
Create a Azure firewall with private ranges
az network firewall create -g MyResourceGroup -n MyFirewall --private-ranges 10.0.0.0 10.0.0.0/16 IANAPrivateRanges
Create a Virtual WAN Secure Hub Firewall
az network firewall create -g MyResourceGroup -n MyFirewall --sku AZFW_Hub --tier Standard --virtual-hub MyVirtualHub1 --public-ip-count 1
Create a Basic SKU Firewall with Management IP Configuration
az network firewall create -g MyResourceGroup -n MyFirewall --sku AZFW_VNet --tier Basic --vnet-name MyVNet --conf-name MyIpConfig --m-conf-name MyManagementIpConfig --m-public-ip MyPublicIp
Create a Basic SKU Firewall with Virtual Hub
az network firewall create -g MyResourceGroup -n MyFirewall --sku AZFW_Hub --tier Basic --vhub MyVHub --public-ip-count 2
Required Parameters
Azure Firewall name.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Allow Active FTP. By default it is false. It's only allowed for azure firewall on virtual network.
Name of the IP configuration.
Number of Public IP Address associated with azure firewall. It's used to add public ip addresses into this firewall.
Space-separated list of DNS server IP addresses. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Enable DNS Proxy.
When set to true, explicit proxy mode is enabled.
Allow fat flow logging. By default it is false.
When set to true, pac file port and url needs to be provided.
Allow UDP log optimization. By default it is false.
Name or ID of the firewallPolicy associated with this azure firewall.
Port number for explicit proxy http protocol, cannot be greater than 64000.
Port number for explicit proxy https protocol, cannot be greater than 64000.
Resource location.
Name of the management IP configuration.
Name or ID of the public IP to use for management IP configuration.
Do not wait for the long-running operation to finish.
SAS URL for PAC file.
Port number for firewall to serve PAC file.
Space-separated list of SNAT privaterange. Validate values are single Ip, Ipprefixes or a single special value "IANAPrivateRanges". Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Name or ID of the public IP to use.
The Route Server Id for the firewall.
SKU of Azure firewall. This field cannot be updated after the creation. The default sku in server end is AZFW_VNet. If you want to attach azure firewall to vhub, you should set sku to AZFW_Hub.
Resource tags. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
The operation mode for Threat Intelligence.
Tier of an azure firewall. --tier will take effect only when --sku is set.
Name or ID of the virtualHub to which the firewall belongs.
The virtual network (VNet) name. It should contain one subnet called "AzureFirewallSubnet".
Space-separated list of availability zones into which to provision the resource. Allowed values: 1, 2, 3. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az network firewall delete
Delete an Azure Firewall.
az network firewall delete [--ids]
[--name]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--resource-group]
[--subscription]
Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Azure Firewall name.
Do not wait for the long-running operation to finish.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az network firewall learned-ip-prefix
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Retrieves a list of all IP prefixes that azure firewall has learned to not SNAT.
az network firewall learned-ip-prefix [--ids]
[--name]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--resource-group]
[--subscription]
Examples
List Learned IP Prefixes
az network firewall learned-ip-prefix -g MyResourceGroup -n MyFirewall
Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Azure Firewall name.
Do not wait for the long-running operation to finish.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az network firewall list
List Azure Firewalls.
az network firewall list [--max-items]
[--next-token]
[--resource-group]
Optional Parameters
Total number of items to return in the command's output. If the total number of items available is more than the value specified, a token is provided in the command's output. To resume pagination, provide the token value in --next-token
argument of a subsequent command.
Token to specify where to start paginating. This is the token value from a previously truncated response.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az network firewall list-fqdn-tags
Gets all the Azure Firewall FQDN Tags in a subscription.
az network firewall list-fqdn-tags [--max-items]
[--next-token]
Optional Parameters
Total number of items to return in the command's output. If the total number of items available is more than the value specified, a token is provided in the command's output. To resume pagination, provide the token value in --next-token
argument of a subsequent command.
Token to specify where to start paginating. This is the token value from a previously truncated response.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az network firewall show
Get the details of an Azure Firewall.
az network firewall show [--ids]
[--name]
[--resource-group]
[--subscription]
Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Azure Firewall name.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az network firewall update
Update an Azure Firewall.
az network firewall update [--add]
[--allow-active-ftp {0, 1, f, false, n, no, t, true, y, yes}]
[--count]
[--dns-servers]
[--enable-dns-proxy {0, 1, f, false, n, no, t, true, y, yes}]
[--enable-fat-flow-logging {0, 1, f, false, n, no, t, true, y, yes}]
[--enable-udp-log-optimization {0, 1, f, false, n, no, t, true, y, yes}]
[--firewall-policy]
[--force-string {0, 1, f, false, n, no, t, true, y, yes}]
[--ids]
[--name]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--private-ranges]
[--public-ips]
[--remove]
[--resource-group]
[--route-server-id]
[--set]
[--subscription]
[--tags]
[--threat-intel-mode {Alert, Deny, Off}]
[--vhub]
[--zones]
Optional Parameters
Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.
Allow Active FTP. By default it is false. It's only allowed for azure firewall on virtual network.
Number of Public IP Address associated with azure firewall. It's used to add public ip addresses into this firewall.
Space-separated list of DNS server IP addresses. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Enable DNS Proxy.
Allow fat flow logging. By default it is false.
Allow UDP log optimization. By default it is false.
Name or ID of the firewallPolicy associated with this azure firewall.
When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Azure Firewall name.
Do not wait for the long-running operation to finish.
Space-separated list of SNAT privaterange. Validate values are single Ip, Ipprefixes or a single special value "IANAPrivateRanges". Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Space-separated list of Public IP addresses associated with azure firewall. It's used to delete public ip addresses from this firewall. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Remove a property or an element from a list. Example: --remove property.list OR --remove propertyToRemove.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
The Route Server Id for the firewall.
Update an object by specifying a property path and value to set. Example: --set property1.property2=.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Resource tags. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
The operation mode for Threat Intelligence.
Name or ID of the virtualHub to which the firewall belongs.
Space-separated list of availability zones into which to provision the resource. Allowed values: 1, 2, 3. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az network firewall wait
Place the CLI in a waiting state until a condition is met.
az network firewall wait [--created]
[--custom]
[--deleted]
[--exists]
[--ids]
[--interval]
[--name]
[--resource-group]
[--subscription]
[--timeout]
[--updated]
Optional Parameters
Wait until created with 'provisioningState' at 'Succeeded'.
Wait until the condition satisfies a custom JMESPath query. E.g. provisioningState!='InProgress', instanceView.statuses[?code=='PowerState/running'].
Wait until deleted.
Wait until the resource exists.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Polling interval in seconds.
Azure Firewall name.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Maximum wait in seconds.
Wait until updated with provisioningState at 'Succeeded'.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for