Enable intrusion detection (IDPS) by default (#555)

Azure · Dec 3, 2021 · 894aaea · 894aaea
1 parent 52aeca1
commit 894aaea
Show file tree

Hide file tree

Showing 4 changed files with 100 additions and 7 deletions.
diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep
@@ -77,6 +77,7 @@ module hubNetwork './modules/hubNetwork.bicep' = {
  firewallSkuTier: firewallSkuTier
  firewallPolicyName: firewallPolicyName
  firewallThreatIntelMode: firewallThreatIntelMode
+ firewallIntrusionDetectionMode: firewallIntrusionDetectionMode
  firewallDiagnosticsLogs: firewallDiagnosticsLogs
  firewallDiagnosticsMetrics: firewallDiagnosticsMetrics
  firewallClientIpConfigurationName: firewallClientIpConfigurationName
@@ -349,7 +350,21 @@ param firewallName string = 'firewall'
 param firewallManagementSubnetAddressPrefix string = '10.0.100.64/26'
 param firewallClientSubnetAddressPrefix string = '10.0.100.0/26'
 param firewallPolicyName string = 'firewall-policy'
+
+@allowed([
+ 'Alert'
+ 'Deny'
+ 'Off'
+])
 param firewallThreatIntelMode string = 'Alert'
+
+@allowed([
+ 'Alert'
+ 'Deny'
+ 'Off'
+])
+param firewallIntrusionDetectionMode string = 'Alert'
+
 param firewallDiagnosticsLogs array = [
  {
  category: 'AzureFirewallApplicationRule'

diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json
@@ -5,7 +5,7 @@
  "_generator": {
  "name": "bicep",
  "version": "0.4.1008.15138",
- "templateHash": "15227849893402646033"
+ "templateHash": "10286368957514163169"
  }
  },
  "parameters": {
@@ -132,7 +132,21 @@
  },
  "firewallThreatIntelMode": {
  "type": "string",
- "defaultValue": "Alert"
+ "defaultValue": "Alert",
+ "allowedValues": [
+ "Alert",
+ "Deny",
+ "Off"
+ ]
+ },
+ "firewallIntrusionDetectionMode": {
+ "type": "string",
+ "defaultValue": "Alert",
+ "allowedValues": [
+ "Alert",
+ "Deny",
+ "Off"
+ ]
  },
  "firewallDiagnosticsLogs": {
  "type": "array",
@@ -1134,6 +1148,9 @@
  "firewallThreatIntelMode": {
  "value": "[parameters('firewallThreatIntelMode')]"
  },
+ "firewallIntrusionDetectionMode": {
+ "value": "[parameters('firewallIntrusionDetectionMode')]"
+ },
  "firewallDiagnosticsLogs": {
  "value": "[parameters('firewallDiagnosticsLogs')]"
  },
@@ -1202,7 +1219,7 @@
  "_generator": {
  "name": "bicep",
  "version": "0.4.1008.15138",
- "templateHash": "13599565970900573060"
+ "templateHash": "5914406162434941149"
  }
  },
  "parameters": {
@@ -1285,7 +1302,20 @@
  "type": "string"
  },
  "firewallThreatIntelMode": {
- "type": "string"
+ "type": "string",
+ "allowedValues": [
+ "Alert",
+ "Deny",
+ "Off"
+ ]
+ },
+ "firewallIntrusionDetectionMode": {
+ "type": "string",
+ "allowedValues": [
+ "Alert",
+ "Deny",
+ "Off"
+ ]
  },
  "firewallDiagnosticsLogs": {
  "type": "array"
@@ -2101,6 +2131,9 @@
  "threatIntelMode": {
  "value": "[parameters('firewallThreatIntelMode')]"
  },
+ "intrusionDetectionMode": {
+ "value": "[parameters('firewallIntrusionDetectionMode')]"
+ },
  "clientIpConfigurationName": {
  "value": "[parameters('firewallClientIpConfigurationName')]"
  },
@@ -2139,7 +2172,7 @@
  "_generator": {
  "name": "bicep",
  "version": "0.4.1008.15138",
- "templateHash": "16515753424142002553"
+ "templateHash": "6929052309016745644"
  }
  },
  "parameters": {
@@ -2158,7 +2191,20 @@
  "type": "string"
  },
  "threatIntelMode": {
- "type": "string"
+ "type": "string",
+ "allowedValues": [
+ "Alert",
+ "Deny",
+ "Off"
+ ]
+ },
+ "intrusionDetectionMode": {
+ "type": "string",
+ "allowedValues": [
+ "Alert",
+ "Deny",
+ "Off"
+ ]
  },
  "clientIpConfigurationName": {
  "type": "string"
@@ -2204,6 +2250,9 @@
  "tags": "[parameters('tags')]",
  "properties": {
  "threatIntelMode": "[parameters('threatIntelMode')]",
+ "intrusionDetection": {
+ "mode": "[parameters('intrusionDetectionMode')]"
+ },
  "sku": {
  "tier": "[parameters('skuTier')]"
  }

diff --git a/src/bicep/modules/firewall.bicep b/src/bicep/modules/firewall.bicep
@@ -3,8 +3,21 @@ param location string = resourceGroup().location
 param tags object = {}
 
 param skuTier string
+
+@allowed([
+ 'Alert'
+ 'Deny'
+ 'Off'
+])
 param threatIntelMode string
 
+@allowed([
+ 'Alert'
+ 'Deny'
+ 'Off'
+])
+param intrusionDetectionMode string
+
 param clientIpConfigurationName string
 param clientIpConfigurationSubnetResourceId string
 param clientIpConfigurationPublicIPAddressResourceId string
@@ -27,6 +40,9 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' = {
  tags: tags
  properties: {
  threatIntelMode: threatIntelMode
+ intrusionDetection:{
+ mode: intrusionDetectionMode
+ }
  sku: {
  tier: skuTier
  }

diff --git a/src/bicep/modules/hubNetwork.bicep b/src/bicep/modules/hubNetwork.bicep
@@ -29,7 +29,20 @@ param routeTableRouteNextHopType string = 'VirtualAppliance'
 param firewallName string
 param firewallSkuTier string
 param firewallPolicyName string
+
+@allowed([
+ 'Alert'
+ 'Deny'
+ 'Off'
+])
 param firewallThreatIntelMode string
+
+@allowed([
+ 'Alert'
+ 'Deny'
+ 'Off'
+])
+param firewallIntrusionDetectionMode string
 param firewallDiagnosticsLogs array
 param firewallDiagnosticsMetrics array
 param firewallClientIpConfigurationName string
@@ -201,7 +214,7 @@ module firewall './firewall.bicep' = {
 
  firewallPolicyName: firewallPolicyName
  threatIntelMode: firewallThreatIntelMode
-
+ intrusionDetectionMode: firewallIntrusionDetectionMode
  clientIpConfigurationName: firewallClientIpConfigurationName
  clientIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallClientSubnetName}'
  clientIpConfigurationPublicIPAddressResourceId: firewallClientPublicIPAddress.outputs.id