Field reference per rule type

This topic lists fields supported for each type of rule.

These details differ per vendor and security control type, and CloudFlow rules are customized as needed.

Common fields

Common fields must be defined for all rules, regardless of vendor or control type.

Define common fields as follows:

Rule name

Enter a unique and meaningful name for this rule.

Install on ..

From the dropdown, select the security controls you want to install this rule on.

To automatically select all security controls, select the Install on all security controls in this policy checkbox.

Action

Select the action you want this rule to control.

Default: Allow

For more details, see:

Azure Firewall (classic) controls

Azure Firewall (classic) controls support the following types of rules:

Azure Firewall (classic) controls are made up of rule collections. Each rule collection is associated to only one rule type.

Network rule fields

Define Network rules with values for Common fields, as well as the following:

Collection

A set of rules with the same action and priority. Select an existing collection from the dropdown list.

If you don't see the collection that you need, click Cancel, and create a new collection.

For details, see Add a new collection (For Azure Firewall (classic) only) .

Source Addresses

Enter one or more IP addresses, or a range of IP addresses, to use as the source.

Separate multiple values by commas.
Destination Type

Select one of the following:

  • IP Addresses. Determines that the destination is either one or more IP addresses, or an IP address range.
  • Service Tag. Determines that destination is a service tag.
Service Tags

Displayed only if you selected Service Tag as the Destination Type.

Select one or more tags to apply to this rule.

  • To select multiple tags, select them one at a time.
  • Click a menu item again to clear the selection.

Destination Addresses

Displayed only if you selected IP Addresses as the Destination Type.

Enter one or more IP addresses, or a range of IP addresses, to use as the destination.

Separate multiple values by commas.

Protocols

Select the protocols you want to control using the new rule.

Destination Ports

Enter one or more ports, or a range of ports, to use as the destination.

Separate multiple values by commas.

Application rule fields

Define Application rules with values for Common fields, as well as the following:

Collection

A set of rules with the same action and priority. Select an existing collection from the dropdown list.

Note: If you don't see the collection that you need, click Cancel, and create a new collection.

For details, see Add a new collection (For Azure Firewall (classic) only) .

Source Addresses

Enter one or more IP addresses, or a range of IP addresses, to use as the source.

Separate multiple values by commas.
Application Rule Type

Select one of the following:

  • FQDN Tags. Determines that the destination is an FQDN tag.
  • Target FQDNs. Determines that destination is a specific FQDN.
FQDN Tags

Displayed only if you selected FQDN Tags as the Application Rule Type.

Select one or more tags to apply to this rule.

  • To select multiple tags, select them one at a time.
  • Click a menu item again to clear the selection.

Target FQDNs

Displayed only if you selected Target FQDN as the Destination Type.

  • Enter one or more destination URLs.
  • Separate multiple values by commas.

Protocol:Port

Displayed only if you selected Target FQDN as the Destination Type.

  • Enter the protocol, and optionally a port, that you want to control using the new rule.
  • Specify a protocol without a port to use the default port.
  • Supported protocols include:
    • HTTP
    • HTTPS

Azure NSGs (Network Security Groups) controls

Azure Network Security Group controls support both Inbound and Outbound rules.

Define NSG Inbound and Outbound rules with values for Common fields, as well as the following:

Inbound rule fields

Priority

Enter a unique integer between 100-4096
Source

Select one of the following to use as your source:

  • Any
  • IP Addresses
  • Service Tag
  • Application security group

Source IP Addresses

Displayed only if you selected IP Addresses in the Source dropdown.

Enter one or more IP addresses to use as the source. Separate multiple values with commas.
Source Service Tag

Displayed only if you selected Service Tag in the Source dropdown.

Select a related service tag from the dropdown list.
Source Application Security Group

Displayed only if you selected Application security group in the Source dropdown.

Select a related security group from the dropdown list.

Source Port Ranges

 Enter one or more source port ranges you want to control using the new rule.

Separate multiple values with commas.
Destination

Select one of the following to use as your destination:

  • Any
  • IP Addresses
  • VirtualNetwork
  • Application security group

Destination IP Addresses

Displayed only if you selected IP Addresses in the Destination dropdown.

Enter one or more IP addresses to use as the destination. Separate multiple values with commas.
Destination Application Security Group

Displayed only if you selected Application security group in the Destination dropdown.

Select a related security group from the dropdown list.

Destination Port Ranges

 Enter one or more destination port ranges you want to control using the new rule.

Separate multiple values with commas.

Protocol

Select one of the following:

  • TCP
  • UDP
  • Any (includes ICMP)

CloudFlow comment

Free text that describes the rule.

Note: This text is a CloudFlow-based comment. Your Azure description remains read-only.

Outbound rule fields

Priority

Enter a unique integer between 100-4096
Source

Select one of the following to use as your destination:

  • Any
  • IP Addresses
  • VirtualNetwork
  • Application security group

Source IP Addresses

Displayed only if you selected IP Addresses in the Source dropdown.

Enter one or more IP addresses to use as the source. Separate multiple values with commas.
Source Application Security Group

Displayed only if you selected Application security group in the Source dropdown.

Select a related security group from the dropdown list.

Source Port Ranges

 Enter one or more source port ranges you want to control using the new rule.

Separate multiple values with commas.
Destination

Select one of the following to use as your source:

  • Any
  • IP Addresses
  • Service Tag
  • Application security group

Destination IP Addresses

Displayed only if you selected IP Addresses in the Destination dropdown.

Enter one or more IP addresses to use as the destination. Separate multiple values with commas.
Destination Service Tag

Displayed only if you selected Service Tag in the Destination dropdown.

Select a related service tag from the dropdown list.
Destination Application Security Group

Displayed only if you selected Application security group in the Destination dropdown.

Select a related security group from the dropdown list.

Destination Port Ranges

 Enter one or more destination port ranges you want to control using the new rule.

Separate multiple values with commas.

Protocol

Select one of the following:

  • TCP
  • UDP
  • Any (includes ICMP)

CloudFlow comment

Free text that describes the rule.

Note: This text is a CloudFlow-based comment. Your Azure description remains read-only.

Azure Firewall controls

Azure Firewall Policies controls can support the following types of rules:

Azure Firewall Policies controls are made up of groups of rule collections. Each group, with its collections of rules, is associated to only one rule type.

Network rule fields

Installed on

The Azure Firewall the policy set is installed on.

Rule Collection Group

A group of rule collections. Click the group to see its rules. The rule collection group's name is preceded by the group's priority.

For example: 100 Rule Collection Group: RuleCollectionGrpDemo001

Priority

Rule collection priority.

Rule Collection Name

The name of the rule collection.

Rule Name

The name of the rule.

Source Addresses

One or more IP addresses, or a range of IP addresses, used as the source.

Destination Addresses

One or more IP addresses, or a range of IP addresses, used as the destination.

Protocols

Communication protocols to use to transfer data.

Destination Ports

One or more ports, or a range of ports, used as the destination.
Action

The action the rule controls.

For example: Allow

Application rule fields

Installed on

The Azure Firewall the policy set is installed on.

Rule Collection Group

A group of rule collections. Click the group to see its rules. The rule collection group's name is preceded by the group's priority.

For example: 100 Rule Collection Group: RuleCollectionGrpDemo001

Priority

Rule collection priority.

Rule Collection Name

The name of the rule collection.

Rule Name

The name of the rule.

Source Addresses

One or more IP addresses, or a range of IP addresses, used as the source.

Destination Addresses

One or more IP addresses, or a range of IP addresses, used as the destination.

Protocols

Communication protocols to use to transfer data.

Destination Ports

One or more ports, or a range of ports, used as the destination.
Action

The action the rule controls.

For example: Allow

NAT rule fields

Installed on

The Azure Firewall the policy set is installed on.

Rule Collection Group

A group of rule collections. Click the group to see its rules. The rule collection group's name is preceded by the group's priority.

For example: 100 Rule Collection Group: RuleCollectionGrpDemo001

Priority

Rule collection priority.

Rule Collection Name

The name of the rule collection.

Rule Name

The name of the rule.

Source Addresses

One or more IP addresses, or a range of IP addresses, used as the source.

Destination Addresses

One or more IP addresses, or a range of IP addresses, used as the destination.

Protocols

Communication protocols to use to transfer data.

Destination Ports

One or more ports, or a range of ports, used as the destination.
Translated Addresses The IP address value to which the destination port is translated.
Translated Ports The port value to which the destination port is translated.
Action

The action the rule controls.

For example: Allow

AWS SGs (Security Groups) controls

Define AWS SG Inbound and Outbound rules with values for the following:

Source / Destination Type

Select one of the following:

  • Any
  • IP Address
  • Security Group

Separate multiple values with commas.
IP Addresses

Displayed only if you selected IP Address as the Source or Destination Type.

Enter an CIDR IP address, such as 192.168.99.0/24.

If connecting from behind a firewall, enter the IP address range used by the client computers.

Multiple values are not supported.
VPC

Displayed only if you selected Security Group as the Source or Destination Type.

Select a VPC from the dropdown list.
Protocol

Select one of the following:

  • TCP
  • UDP
  • ICMP
  • Any (includes ICMP)
Port range

Displayed only if you selected ANY, TCP, or UDP in the Protocol field.

Enter the port range you want to control using the new rule.
ICMP Type

Displayed only if you selected ICMP in the Protocol field.

Select the type of ICMP you want to define for the rule.
ICMP Sub-Type

Displayed only if you selected a relevant option in the ICMP Type field.

Select the ICMP sub-type you want to define for the rule.
Security Group

Displayed only if you selected Security Group as the Source or Destination Type and a VPC is selected. Lists the security groups relevant to the selected VPC.

Select a security group from the dropdown list.

Install on ..

From the dropdown, select the security controls you want to install this rule on.

To automatically select all security controls, select the Install on all security controls in this policy checkbox.

CloudFlow comment

Free text that describes the rule.

Note: This text is a CloudFlow-based comment. Your Azure description remains read-only.

Google Cloud Firewall controls

Google Cloud Firewall rules are received from Google Cloud and can only be viewed.