Intrusion Detection and Prevention System

What is IDPS?

A feature of Azure Firewall Premium
IDPS stands for “Intrusion Detection and Prevention System”
IDPS monitors network for malicious activities, logs activity related data, reports it, and attempts to block it
IDPS can be applied to inbound, spoke-to-spoke (East-West), and outbound traffic

IDPS allows to detect attacks in all ports and protocols for non-encrypted traffic only
Traffic must be unencrypted or decrypt at Firewall, otherwise Firewall would not be able to inspect traffic and therefore IDPS would be in effect
For outbound traffic, use TLS Inspection feature of Azure Firewall Premium, so that IDPS can work
For inbound traffic, terminate TLS at application gateway and then send it to Firewall for futher inspection (not applicable when end-to-end TLS is required)

Azure Firewall Premium provides signature-based IDPS
Signature-based IDPS to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware
Firewall applies IDPS signatures to both application and network level traffic (layer 4~7)
IDPS signatures/rulesets continuously updated and managed by Azure
If any signature is matched, action will be taken based on IDPS mode and signature itself i.e. IDPS ise set “Alert and Deny” but signature only support alert

Azure Portal

Azure Firewall Premium - enable IDPS in Azure Portal

Signatures are also known as rulesets
There are (as of February, 2022) over 58,000 rules in over 50 categories
20 to 40+ new rules are released each day
Low false positive rating by using state-of-the-art malware sandbox and global sensor network feedback loop

Azure Firewall Premium - IDPS signature rules

The IDPS Bypass List allows us to not filter traffic for apecified IP addresses, ranges, and subnets.

Azure Firewall Premium - IDPS Bypass List