Correct Answer: AB
A: TLS inspection Azure Firewall Premium provides TLS inspection capability by decrypting the outbound traffic, inspecting it, processing it, and then re-encrypting the data and sending it to the destination. Azure Firewall Premium intercepts outbound HTTPS traffic and auto-generates a server certificate for the URL that you are trying to access. End-user browsers and the client applications must trust your organization's Root CA certificate or intermediate CA certificate for this procedure to work.
Why TLS inspection is important
Encrypted traffic has a security risk, as it can hide illegal user activity and malicious traffic. Azure Firewall without TLS inspection has no visibility into the data that flows in the encrypted TLS tunnel, and so it cannot provide full protection coverage for the outbound traffic.
How TLS inspection works in Azure Firewall Premium
TLS inspection is achieved by using an Intermediate CA certificate. An intermediate certificate works as a substitute of a root certificate. Intermediate certificates are also used as a stand-in for a root certificate by playing a “Chain of Trust” between an end entity certificate and a root.
B: How to Enable TLS Inspection in Azure Firewall Premium with auto-generate new certification feature in a POC environment:
1.
Navigate to the Azure Firewall Premium Policy you want to enable TLS inspection.
2.
From the left menu pane, Select - TLS Inspection - and click on the Enabled option.
3.
In the Key Vault section, under Managed identity, select (New) Managed Identity Name.
The following new resources with a random name will be created Managed Identity Key Vault Self-signed Root CA certificate
4.
Click on Save button at the bottom of the page to commit the changes.
5.
Once saved, a new Managed identity and new Azure Key vault will be created along with a new root certificate (You can view the certificate under the certificates section).
6.
Once you click on certificate, you will get an option to download the certificate in both PFX/PEM and CER format. Download the certificate in .CER format and copy it to the end user's machine from where you would like to access a secure public website.
7.
Configure an Application Rule in the Azure firewall policy to allow the outbound web traffic from the end user's machine. Since TLS inspection is enabled in this outbound rule, all outbound traffic will be inspected by the Azure Firewall.
Incorrect:
* threat intelligence Azure Firewall threat intelligence-based filtering You can enable Threat intelligence-based filtering for your firewall to alert and deny traffic from/to known malicious IP addresses, FQDNs, and URLs. The IP addresses, domains and URLs are sourced from the Microsoft Threat Intelligence feed, which includes multiple sources including the Microsoft Cyber Security team.
Reference: https://techcommunity.microsoft.com/t5/azure-network-security-blog/building-a-poc-for-tls-inspection-in-azure-firewall/ba-p/3676723 https://learn.microsoft.com/en-us/azure/firewall/threat-intel