Azure Firewall Reviews

I used it for two of my clients. One of the clients used it for Azure Virtual Desktop implementation and for blocking the internet for the other applications in the IaaS. The use case for the other clients was also similar. It was put in there for holding up traffic and filtering traffic.

It provided ease of maintenance. If a new firewall was needed, we only had to run the pipelines for this. So, the maintenance was very easy.

It reduced work by 30%. It saved maintenance and operational costs by 15%.

The HTTPS Inspection feature was useful where HTTPS traffic is scanned before it goes over the line.

Its interface is okay, and it is very adjustable. I like IP groups and other things that you can do with it.

Rules management could be better. You have all kinds of rules, and they can put something better in place there.

There should be better monitoring and logging. Currently, it is put in Sentinel. It should be more seamless and from the interface.

It has been about two years.

Its stability is very good.

It is scalable. It was used across multiple regions. One of them had about 3,000 users, and the other one had about 5,000 users.

Their technical support is good. I would rate them an eight out of ten.

Positive

We used a different solution. We had on-prem Palo Alto. 

I was involved in its setup. I deployed it with Bicep pipelines. The maintenance was also via pipelines. Its setup was straightforward, especially with Terraform and Bicep. It was done in 10 minutes to 15 minutes.

It is a one-man job, but that is not our advice. It is better to have three or four people who have knowledge of the firewall system. If you have only one person and that person is sick, then you have a problem. You block the internet, and sometimes, you have to open it. So, it is better to do it with a small team. If there are a lot of changes, two to three people should be fine.

In terms of maintenance, there is only the maintenance of new ports or IP addresses, but that's operational management. That's not firewall management as such.

Our clients have seen about 25% return on investment.

It is expensive, especially with the premium functions.

For one of the clients, it was very expensive. You have to use it more at an enterprise level, and there, it was not at an enterprise level. So, it was very costly, but security-wise, it was a very wise decision to use it that way. 

The solution of Palo Alto and the other one, whose name I don't remember, were IaaS-based, but we wanted a platform as a service, and Azure Firewall is that.

If you have an ecosystem based on, for instance, Palo Alto, it would be better to use a Palo Alto firewall because they have one way of working and one interface, but if you have a greenfield deployment or your on-prem is old or legacy, then I would advise going for Azure Firewall.

Its basic features were enough for us. The single sign-on experience was also okay. We had no problem with that. If required, we can use Privileged Identity Management or MFA. All these features are there within Azure.

I would rate it an eight out of ten.

I have deployed Azure Firewall for a couple of my clients. They primarily use it for protecting their workloads and limiting incoming connections.

I also have a subscription but I use it primarily for testing.

The most valuable feature is threat intelligence. It is based on filtering and can identify multiple threats. It can easily detect threats and I have customers that have experienced this.

The malware signatures are updated automatically, which is helpful for new customers.

Compared to FortiGate and Palo Alto, Azure Firewall is not very flexible. There are multiple options for VPNs and the other features, and most of my clients are implementing third-party products that they are getting from the marketplace and other vendors.

The reporting, logging, and monitoring features, as well as the flexibility of the policies, need to be improved.

The visibility is much less with Azure Firewall than it is with other products.

I have been working with Azure Firewall for two years.

This is a firewall that I implement for my SMB customers. For example, one of my recent deployments was to a user base of between 300 and 500 people. In fact, it was their DR site, so there was no regular user traffic. The real-time users enter that site typically for maintenance.

 My enterprise clients normally choose to implement SonicWall NSV.

I have not had the opportunity to fully test the scalability but I can't see any limitations to it at this time.

I have opened a couple of cases with Azure and the technical support was fine. There were no issues with it.

I have experience with several other firewalls including FortiGate and Palo Alto.

Another product that I have sold to my enterprise customers is SonicWall NSV.

Compared to other firewall products, the setup is complex. I have faced problems setting up the DNAT, and there are some issues with setting up the certificates. I have also had trouble with service tag issues.

The basic deployment takes one day or two days at the maximum. The fine-tuning, where we have to monitor and identify the proper traffic, takes place over two or three weeks. Fine-tuning is an extensive part of it. It is important that the configuration is set up correctly.

We deploy this solution for our customers but they are responsible for the fine-tuning to their environment. I deploy it for our clients but I have another colleague who does it, as well.

Overall, this is a good product and we will continue working with it.

I would rate this solution a nine out of ten.

We are currently working with Microsoft, trying to develop a new solution which is based on VeloCloud. It's an SD-WAN solution. This product has not been launched in China yet and we still have some work to do. I'm the company owner and five of my team use Azure Firewall. It's a startup team and I work with Microsoft directly.  

The most valuable features of the product are its great security and connectivity. 

The interface could be improved, it's not very user friendly. They are now trying to compete with a new Chinese domestic public cloud provider which has more features. It's difficult to find the ports on the current interface, but it's easier with this new provider. 

We're looking to provide a better routing, or something like an SD-WAN solution that can improve the user experience. I think that's something Azure can do as an additional feature. There are five Azure clouds: Two belong to the US government and one is worldwide. Then there is Germany Azure and China Azure. China Azure is barely able to communicate with the rest of the world, and that connectivity issue needs to be looked at in detail and a solution found.

I've been using this product for three years. It's an online platform so you're always getting the latest version. 

It's a stable product. I've recently spent a lot of time on Palo Alto Firewalls and compared to that I would say that Azure Firewall is still a better firewall. They provide more and more features like SD-WAN or the cloud standard box feature.

I'm satisfied with the technical support overall. I generally chat with the Microsoft team on the phone. 

I'm still using Palo Alto, Cisco ASA, Fortinet, Check Point and Juniper. Basically I use all of them. For small businesses with one standard, though, I would recommend Azure Firewalls. It's quite simple and easy to implement the whole security policy. For medium and large enterprise companies, however, they already have their on-premise firewall devices implemented. Users are trying to centralize their firewall security management and they prefer it to using virtualized firewalls like Checkpoint Virtual Firewall or Fortinet Virtual Firewall. That way, they can leverage their user technology capability, and try using a single interface to manage those devices. 

From the virtual machine perspective, it's quite easy to set up. You can choose the image file from the public market, and then you can setup. However, the account, the Microsoft Azure identity, the whole creation process was very complex and it is not that user friendly. Users usually use their Azure ID, as well as sometimes providing the live ID. That's a second ID, and it confuses people.

The network firewall is a complex project, you have to review all the requirements. It's possible that sometimes the Azure Firewall won't be able to support some things because they customize their applications and they may not meet with the Azure Firewall's features. Each user has unique requirements on shaping or manipulating network traffic. I wouldn't recommend any product without doing the research.

I would rate this product an eight out of 10.

When we started using Azure Firewall, we learned quickly that it couldn't do much. As I remember, it was essentially a layer 3 or layer 4 firewall that couldn't distinguish recognized applications and things like that. But it was inexpensive compared to the Palo Alto stuff we were looking at, so we wound up staying with the firewall. Mainly it was just inspecting ports between virtual machines.

Azure Firewall definitely needs a broader feature base. It should be able to go all the way up to layer 7 when looking at applications and things like that. It needs to be comparable to what you would get from Cisco, Palo Alto, Checkpoint, or any of those guys. If it's going to be a firewall, it needs to be competitive. From a security standpoint, it's not any better than loading an IP table in a Linux box. In fact, Linux may even be better in that sense

I've been using Azure Firewall for probably about a year.

Azure Firewall wasn't scalable at all, but it did what it's supposed to do.

I honestly don't remember interfacing a lot with Azure support. I think that we were dealing with a third party, maybe. But I've been dealing with AWS for the last year, and it's a totally different experience in a good way. Their support is outstanding.

Setting up Azure Firewall was easy because all you were doing was configuring source, destination, port, and action. However, there was something weird. You have to number your rules set, and depending on your numbering system, that's how you would have to apply the filtering of the logic of the policy. And in that sense, it's a little bit quirky. I don't think that most firewalls work that way. It just reads the policy, and the algorithm is based on it filtering down through the policies until it hits a truth or a match. And then it makes a decision based on that.

Azure's cost-effectiveness is its major advantage. 

Each company will prioritize what it wants to work on. Azure may outperform AWS in some areas, but after working with the two platforms for roughly the same amount of time, I've found AWS friendlier and more sophisticated overall. AWS just seems to be a better platform for me, honestly.

I would rate Azure Firewall one out of 10. I give it the worst rating because security is so important. However, it depends on your security goals. But you have to look at what's out there and what you typically get out of a box. Even for a cheap application for your computer, Azure Firewall just isn't delivering. It doesn't have any personality at all or functionality even. I definitely wouldn't recommend it to anyone, but I would have to go back and visit it because it's been a year now. The features are so limited that it's pretty much a protocol-filtering product. 

Honestly, I think any serious security-minded entity will bypass Azure Firewall and look at some of the images from the third parties. I guess it's suitable for small outfits that aren't serious about security but want some basic protection. By the time I walked away, I  had spent a lot of hours on it, and I spent more time in my job trying to find a solution and pick the right one. I did everything to learn the firewall's feature set. I finally talked with someone at Microsoft who said, "We know what you want and what you're trying to do, but we're just not there yet."

They just told me to stay tuned. I got the impression Azure Firewall is a very immature product that would probably improve over time. But, at that moment, I didn't think it was unready. It's just that products are trying to achieve different things. You can't have all the horses in all places. It's one of those things where I felt like it would have to be some acquisition or complete outsourcing of the security component to somebody specialized in the area who can sell it as a firewall.

Basically, our organization is using the solution to inspect the traffic. I'm using the solution as the main defense system prior to de-traffication on the NGX layer (layer seven). Then, of course, we're forwarding to the Kubernetes cluster.

The solution has many useful features. For example, the solution allows users to create virtual IP addresses. 

The solution doesn't offer the same capabilities of Fortinet. It should offer intrusion prevention and advance filtering. These are two very useful features offered on Fortinet that Azure lacks.

There's already a web application firewall for detection, however, it isn't as useful as it could be. They should work to improve it.

In terms of prevention, I don't think it's any better than just a regular firewall. They need to add more security features to make it more powerful and more secure.

I've been using the solution for six months so far. It hasn't been too long.

The stability of the solution is excellent. It hasn't failed. There are no bugs, glitches, or crashes. It's reliable.

Azure uses an on-premises environment. I wouldn't use it for scalability purposes. In terms of scalability, our organization is much more inclined towards Fortinet's Fortigate virtual appliance rather than the Azure Firewall.

We provide services to our clients and help them maintain the product.

However, we have contacted technical support several times. We've submitted tickets and dealt with technical support directly. Occasionally, it takes a long period of time for them to get back to us. It does depend on the severity of the issues. In terms of feedback and output they've provided us, we have been very satisfied. They can just be a little slow.

We use both Azure Firewall and Fortinet solutions, including Fortigate. I personally find that Azure doesn't offer the same capabilities. Fortinet is better.

I'm not sure of the exact pricing, however, I do believe it is less expensive than Fortigate.

For Fortinet, we pay around $5,000 per year. It offers more, however. It, for example, also improves the intrusion detection system. We bought a Fortinet appliance two years ago and Azure Firewall didn't exist at the time.

We're Azure partners and have an enterprise agreement with the company, however, we may be switching. We also have a dedicated Account Manager with the company.

I'd rate the solution seven out of ten. It's missing a few capabilities our organization would really like to see.

We use Azure Firewall to protect customer workloads. 

Azure Firewall is a cloud-native solution that removes the pain of load balancers. 

The tool needs to improve the onboarding and transition process for on-prem users. 

I have been using the product for three years. 

The tool's stability is great. 

The solution's scalability is great. 

Microsoft's support is quick.

Positive

The tool's deployment is straightforward. 

We did the deployment internally. 

Azure Firewall is expensive. 

Azure Firewall has helped us save 30 percent of the time. We don't require time for designing architecture and support. It frees up time and helps me focus on other tasks. 

The product has helped us save a decent amount of money. I rate it an eight out of ten. 

We use it to protect the Azure space and to be the bridge between on-premise and the cloud.

When I have had a site-to-site VPN set up and configured, and would use it to allow ordinary traffic from the on-premise device to the cloud and from other third-party suppliers to the Azure platform.

We also use it to provide connectivity to various network security groups that have been created within Azure.

I would say that this solution is really good compared to other solutions that we have had before. We would have used the FortiGate firewall in the Azure space. 

We find this process was quicker. It would get a faster turnaround time once we would generate and modify the firewall rules. Because of the visibility, we would have seen it. When compared to FortiGate, it would get a bit more visibility in terms of integration with the security center so that we would be able to review based on overall posture, see what needs to be fixed, or what changes need to be made. 

The turnaround time turns off rules and any gaps that exist would increase the turnaround time for that as well. It would also help us to increase our response time and reduce our attack surface by 20% so far.

With the recent upgrade to the premium version, it facilitates IP Groups, URL filtering, TLS inspection, IDPs, and the Web Categories.

Before using the premium version, a lot of our customers had concerns with the URL filter, where you would not be able to allow or block a specific URL. The feature set without a premium version would only allow you to do it via IP address, which is tedious.

At times, many of these vendors would be using some kind of CDN solution. It would be the case where multiple IPs appear, changing behind the URL when it would be easier if you're using the URL feature. The URL maps onto the IP address and it would be the easiest way to do that.

I think that one of the best features is definitely the premium version, along with the IDPs in terms of the intrusion detection and prevention system.

Many other vendors, when you do not have the license for the IP at some point, then you would be left not being able to do any prevention. The fact that the premium version includes this is good.

The TLS inspection allows you to decrypt the outbound traffic and encrypt data. Otherwise, we would have been using our third-party vendors, and whatever solution is within Azure.

With the various business units, we will be reaching out to other solutions there are in the web category to reduce the attack surface to see if this is a category that is alone or not.

The fact that Azure also ties into a security center is another good feature. You can also get rid of that visibility because of the tight integration with these Azure products.

We had an instance where it wasn't processing the rules and we had to engage Microsoft to resolve that issue. Microsoft Support needs to improve its response time.

For larger enterprises, they need to adjust the scalability. This is the only issue that I'm have found that it attributed to the two weeks of downtime we had experienced.

They need to offer either a scaled-up or scaled-out version or versions for larger enterprise companies.

This would greatly improve the solution.

I have been using Azure Firewall for approximately two and a half years.

I have recently upgraded to the premium version.

Azure Firewall is pretty stable. 

I believe that they listen to various sponsors, which is why they were able to release the premium version. It is a more established firewall that vendors now have. 

I'm seeing where they have met up with the dynamics of the market, and I am expecting that they will be a leader sometime in the near future.

They need to find a way to scale it out or scale it up a bit more. The scalability, it's okay, but it needs a lot more improvement. For a regular customer that's utilizing it, that's good, but for large enterprise companies, it is not as good.

The industry is telecoms. We have millions of customers. For that type of environment, they need better and more scalability.

We haven't totally assessed the premium version to see if the new features offer greater scalability. 

We utilize it across the cloud estate. We plan to expand our subscriptions. Most definitely, we will increase our usage.

Recently, we transitioned to the premium version, which will be extended to the other subscription once it has been rolled out across 32 countries, and with more instances, it will be rolled out across various continents.

The turnaround time in resolving the issue where it wasn't processing the rules is an area that needs improvement. It wasn't resolved in a timely manner.

Microsoft support took a bit of time to assist us in resolving that issue. It created a bit of downtime for us and it was longer than we expected. 

I would say those would be the cons so far when utilizing it.

I would rate the Microsoft support a five out of ten because they did not respond in a timely manner and the impact it caused in terms of the downtime it created for us. We were down for a week or two during a high-impact period.

They were assisting us but it took a good amount of time to get it resolved when we needed to be putting out things daily. Two weeks is a long time for a fast-paced environment. 

Previously, we were using FortiGate Firewall. We switched because of the migrating of the Security Center and the ease of use. The cost was also considered.

The initial setup was straightforward.

We had another tool which was FortiGate. We migrated from FortiGate to the Azure Firewall.

It was a straightforward migration.

The deployment took approximately three to four weeks.

The implementation strategy would include copying over rules, ensuring that all the services are able to run, and also ensuring that both firewalls were running in parallel. Until we are sure that the Azure Firewall can handle the workload, both firewall products will continue to operate.

After that, we were able to power down the virtual appliance that was on the FortiGate Firewall.

We had it running for quite some time, approximately a month and a half. Because there were no issues, we stopped using the FortiGate Firewall altogether, once that process was complete.

We have a server team, a cloud team, and a network team to administer and maintain this solution. It's approximately eight to ten people, some are network security engineers, a network security manager, and network engineers.

There have been some cost benefits as well. When using another vendor in comparison where you bring your own license, the cost would have gone down. It's more cost-effective to use the Azure Firewall along with the premium version than using a third-party as an option from the marketplace. I would say that as well, where it gives you better spend in terms of OPEX. It's better value for your money.

The licensing module is good. Pricing is one of the reasons we switched to this solution.

For smaller businesses, they could probably put one or two features from premium into the regular standard versions. For example, that URL filtering is a pain point for many customers. 

If they could find a way to scale down that URL and the IPs feature to include it in the standard version, then that would allow them to get more traction and more customers from the small to medium-sized business perspective.

We were using Check Point mostly. We had decided to move to FortiGate, and then we moved to Azure Firewall. 

We did not go with Check Point because of the premium features such as the URL filtering, and the TLS inspection included with Check Point cost a lot more. This was the reason we chose the Azure Firewall.

It's a solid solution. I would tell anybody to definitely give it a try, and consider it as one of the options when looking for a firewall to use in Azure space.

I would say if they can go for the premium version upfront, rather than starting with the standard version, then trying to transition to a premium version. It addresses a lot of the issues and concerns in this space today. They should start with the premium rather than upgrade. Once they can afford it, go straight to premium.

I would rate Azure Firewall an eight out of ten.