基于 Azure 防火墙威胁智能的筛选Azure Firewall threat intelligence-based filtering

可以为防火墙启用基于威胁智能的筛选,以提醒和拒绝来自/到达已知恶意 IP 地址和域的流量。Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. IP 地址和域源自 Azure 威胁智能源。The IP addresses and domains are sourced from the Azure Threat Intelligence feed. Intelligent Security Graph 支持 Azure 威胁情报,并已由多种服务(包括 Azure 安全中心)使用。Intelligent Security Graph powers Azure threat intelligence and is used by multiple services including Azure Security Center.

防火墙威胁智能

如果已启用基于威胁智能的筛选,则将在任何 NAT 规则、网络规则或应用程序规则之前处理相关规则。If you've enabled threat intelligence-based filtering, the associated rules are processed before any of the NAT rules, network rules, or application rules.

可以选择仅在触发规则时记录警报,也可以选择警报和拒绝模式。You can choose to just log an alert when a rule is triggered, or you can choose alert and deny mode.

默认情况下,基于威胁智能的筛选在警报模式下启用。By default, threat intelligence-based filtering is enabled in alert mode. 门户界面在你所在的区域中推出之前,你无法关闭此功能或更改模式。You can't turn off this feature or change the mode until the portal interface becomes available in your region.

基于威胁智能的筛选门户界面

日志Logs

以下日志摘录显示了一个触发的规则:The following log excerpt shows a triggered rule:

{
    "category": "AzureFirewallNetworkRule",
    "time": "2018-04-16T23:45:04.8295030Z",
    "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
    "operationName": "AzureFirewallThreatIntelLog",
    "properties": {
         "msg": "HTTP request from 10.0.0.5:54074 to somemaliciousdomain.com:80. Action: Alert. ThreatIntel: Bot Networks"
    }
}

测试Testing

  • 出站测试 - 出站流量警报应该比较罕见,因为这意味着环境已泄露。Outbound testing - Outbound traffic alerts should be a rare occurrence, as it means that your environment has been compromised. 为了帮助测试出站警报是否正常工作,已创建一个触发警报的测试 FQDN。To help test outbound alerts are working, a test FQDN has been created that triggers an alert. 使用 testmaliciousdomain.chinaeast.cloudapp.chinacloudapi.cn 进行出站测试。Use testmaliciousdomain.chinaeast.cloudapp.chinacloudapi.cn for your outbound tests.

  • 入站测试 - 如果在防火墙上配置了 DNAT 规则,则预计可以看到传入流量的警报。Inbound testing - You can expect to see alerts on incoming traffic if DNAT rules are configured on the firewall. 即使只允许在 DNAT 规则中使用特定源也是如此,否则流量会被拒绝。This is true even if only specific sources are allowed on the DNAT rule and traffic is otherwise denied. Azure 防火墙不会在所有已知的端口扫描仪上发出警报;仅在已知也会参与恶意活动的扫描仪上发出警报。Azure Firewall doesn't alert on all known port scanners; only on scanners that are known to also engage in malicious activity.

后续步骤Next steps