Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit 48dad61

Browse files
StefanIvemoStefanIvemo
committedFeb 2, 2021
Updated article with more detailed info
1 parent ccc27e0 commit 48dad61

File tree

2 files changed

+17
-5
lines changed

2 files changed

+17
-5
lines changed
 

‎articles/firewall-manager/media/threat-intelligence-settings/allow-list.png

18 KB
Loading

‎articles/firewall-manager/threat-intelligence-settings.md

Lines changed: 17 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -18,22 +18,34 @@ If you've configured threat intelligence-based filtering, the associated rules a
1818
:::image type="content" source="media/threat-intelligence-settings/threat-intelligence-policy.png" alt-text="Threat intelligence policy":::
1919

2020
## Threat intelligence Mode
21+
Threat intelligence can be configured in the following modes. By default, threat intelligence-based filtering is enabled in alert mode.
2122

22-
You can choose to log only an alert when a rule is triggered, or you can choose alert and deny mode.
23+
Mode |Description |
24+
|---------|---------|
25+
|`Off` | The Threat Intelligence feature will not be enabled for your firewall |
26+
|`Alert only` | You will receive high confidence alerts for traffic going through your firewall to or from known malicious IP addresses and domains |
27+
|`Alert and deny` | Traffic will be blocked and you will receive high confidence alerts when traffic attempting to go through your firewall to or from known malicious IP addresses and domains is detected. |
28+
29+
> [!NOTE]
30+
> Threat intelligence mode is inherited from parent policies to child policies. A child policy must be configured with the same or stricter mode than the parent policy.
2331
24-
By default, threat intelligence-based filtering is enabled in alert mode.
2532

2633
## Allowed list addresses
2734

28-
You can configure a list of allowed IP addresses so that threat intelligence won't filter any of the addresses, ranges, or subnets that you specify.
35+
Threat intelligence may trigger false positives and block traffic that actually is valid. You can configure a list of allowed IP addresses so that threat intelligence won't filter any of the addresses, ranges, or subnets that you specify.
36+
37+
![Allow list addresses](media/threat-intelligence-settings/allow-list.png)
2938

39+
The allow list can be updated with multiple entries at the same time by uploading a CSV file. The CSV can only contain IP Addresses and ranges, no headings are allowed.
3040

41+
> [!NOTE]
42+
> Threat intelligence allow list addresses are inherited from parent policies to child policies. Any IP address or range added to a parent policy will apply for all child policies as well.
3143
3244
## Logs
3345

34-
The following log excerpt shows a triggered rule:
46+
The following log excerpt shows a triggered rule for outbound traffic to a malicious site:
3547

36-
```
48+
```json
3749
{
3850
"category": "AzureFirewallNetworkRule",
3951
"time": "2018-04-16T23:45:04.8295030Z",

0 commit comments

Comments
 (0)
Please sign in to comment.