Azure Firewall Reviews

We're SaaS providers. We use these firewalls to route our traffic from our partner to us.

Among the most valuable features are the

• DDoS protection which protects your virtual machines
• threat intelligence 
• traffic filtering.

If I had to pick one area that needs improvement it would be the antivirus functionality, because it doesn't scan traffic for malware. It needs TLS inspection.

The cloud team in our company has been using Azure Firewall for about two years, but I'm in the security team and I've been using it for a year. We're using the regular version, not the Premium version.

The stability of Azure Firewall is fine. I've never seen it go down.

There may be issues with the scalability, but I haven't tested it yet. When you test it in preview mode it's only around 3 to 3.5 Gbps.

The support from Microsoft is good.

Positive

We started using it because we were new to the cloud and, at that time, we didn't have options. We started using whatever came with Azure. Now that we have started to grow, we have started exploring other options.

We have different business units and each one has one person for deployment and maintenance of the solution.

We have looked at Azure Firewall Premium and at Palo Alto's firewalls.

When we did the comparison we found the regular version of Azure Firewall has limited visibility for IDPS, no TLS inspection, no app ID, no user ID, no content ID, no device ID. There is no antivirus or anti-spyware. Azure Firewall doesn't scan traffic for malware unless it triggers an IDPS signature. There is no sandbox or machine learning functionality, meaning we are not protected from Zero-day threats. There is no DNS security and limited web categories.

We're looking at switching to Palo Alto virtual firewalls, but we want to make sure that what we switch to is compatible with our environment.

Azure Firewall is fine, but it's not suitable for our organization and that's why we have decided to move away from it.

We use it to protect the Azure space and to be the bridge between on-premise and the cloud.

When I have had a site-to-site VPN set up and configured, and would use it to allow ordinary traffic from the on-premise device to the cloud and from other third-party suppliers to the Azure platform.

We also use it to provide connectivity to various network security groups that have been created within Azure.

I would say that this solution is really good compared to other solutions that we have had before. We would have used the FortiGate firewall in the Azure space. 

We find this process was quicker. It would get a faster turnaround time once we would generate and modify the firewall rules. Because of the visibility, we would have seen it. When compared to FortiGate, it would get a bit more visibility in terms of integration with the security center so that we would be able to review based on overall posture, see what needs to be fixed, or what changes need to be made. 

The turnaround time turns off rules and any gaps that exist would increase the turnaround time for that as well. It would also help us to increase our response time and reduce our attack surface by 20% so far.

With the recent upgrade to the premium version, it facilitates IP Groups, URL filtering, TLS inspection, IDPs, and the Web Categories.

Before using the premium version, a lot of our customers had concerns with the URL filter, where you would not be able to allow or block a specific URL. The feature set without a premium version would only allow you to do it via IP address, which is tedious.

At times, many of these vendors would be using some kind of CDN solution. It would be the case where multiple IPs appear, changing behind the URL when it would be easier if you're using the URL feature. The URL maps onto the IP address and it would be the easiest way to do that.

I think that one of the best features is definitely the premium version, along with the IDPs in terms of the intrusion detection and prevention system.

Many other vendors, when you do not have the license for the IP at some point, then you would be left not being able to do any prevention. The fact that the premium version includes this is good.

The TLS inspection allows you to decrypt the outbound traffic and encrypt data. Otherwise, we would have been using our third-party vendors, and whatever solution is within Azure.

With the various business units, we will be reaching out to other solutions there are in the web category to reduce the attack surface to see if this is a category that is alone or not.

The fact that Azure also ties into a security center is another good feature. You can also get rid of that visibility because of the tight integration with these Azure products.

We had an instance where it wasn't processing the rules and we had to engage Microsoft to resolve that issue. Microsoft Support needs to improve its response time.

For larger enterprises, they need to adjust the scalability. This is the only issue that I'm have found that it attributed to the two weeks of downtime we had experienced.

They need to offer either a scaled-up or scaled-out version or versions for larger enterprise companies.

This would greatly improve the solution.

I have been using Azure Firewall for approximately two and a half years.

I have recently upgraded to the premium version.

Azure Firewall is pretty stable. 

I believe that they listen to various sponsors, which is why they were able to release the premium version. It is a more established firewall that vendors now have. 

I'm seeing where they have met up with the dynamics of the market, and I am expecting that they will be a leader sometime in the near future.

They need to find a way to scale it out or scale it up a bit more. The scalability, it's okay, but it needs a lot more improvement. For a regular customer that's utilizing it, that's good, but for large enterprise companies, it is not as good.

The industry is telecoms. We have millions of customers. For that type of environment, they need better and more scalability.

We haven't totally assessed the premium version to see if the new features offer greater scalability. 

We utilize it across the cloud estate. We plan to expand our subscriptions. Most definitely, we will increase our usage.

Recently, we transitioned to the premium version, which will be extended to the other subscription once it has been rolled out across 32 countries, and with more instances, it will be rolled out across various continents.

The turnaround time in resolving the issue where it wasn't processing the rules is an area that needs improvement. It wasn't resolved in a timely manner.

Microsoft support took a bit of time to assist us in resolving that issue. It created a bit of downtime for us and it was longer than we expected. 

I would say those would be the cons so far when utilizing it.

I would rate the Microsoft support a five out of ten because they did not respond in a timely manner and the impact it caused in terms of the downtime it created for us. We were down for a week or two during a high-impact period.

They were assisting us but it took a good amount of time to get it resolved when we needed to be putting out things daily. Two weeks is a long time for a fast-paced environment. 

Previously, we were using FortiGate Firewall. We switched because of the migrating of the Security Center and the ease of use. The cost was also considered.

The initial setup was straightforward.

We had another tool which was FortiGate. We migrated from FortiGate to the Azure Firewall.

It was a straightforward migration.

The deployment took approximately three to four weeks.

The implementation strategy would include copying over rules, ensuring that all the services are able to run, and also ensuring that both firewalls were running in parallel. Until we are sure that the Azure Firewall can handle the workload, both firewall products will continue to operate.

After that, we were able to power down the virtual appliance that was on the FortiGate Firewall.

We had it running for quite some time, approximately a month and a half. Because there were no issues, we stopped using the FortiGate Firewall altogether, once that process was complete.

We have a server team, a cloud team, and a network team to administer and maintain this solution. It's approximately eight to ten people, some are network security engineers, a network security manager, and network engineers.

There have been some cost benefits as well. When using another vendor in comparison where you bring your own license, the cost would have gone down. It's more cost-effective to use the Azure Firewall along with the premium version than using a third-party as an option from the marketplace. I would say that as well, where it gives you better spend in terms of OPEX. It's better value for your money.

The licensing module is good. Pricing is one of the reasons we switched to this solution.

For smaller businesses, they could probably put one or two features from premium into the regular standard versions. For example, that URL filtering is a pain point for many customers. 

If they could find a way to scale down that URL and the IPs feature to include it in the standard version, then that would allow them to get more traction and more customers from the small to medium-sized business perspective.

We were using Check Point mostly. We had decided to move to FortiGate, and then we moved to Azure Firewall. 

We did not go with Check Point because of the premium features such as the URL filtering, and the TLS inspection included with Check Point cost a lot more. This was the reason we chose the Azure Firewall.

It's a solid solution. I would tell anybody to definitely give it a try, and consider it as one of the options when looking for a firewall to use in Azure space.

I would say if they can go for the premium version upfront, rather than starting with the standard version, then trying to transition to a premium version. It addresses a lot of the issues and concerns in this space today. They should start with the premium rather than upgrade. Once they can afford it, go straight to premium.

I would rate Azure Firewall an eight out of ten.

I used it for two of my clients. One of the clients used it for Azure Virtual Desktop implementation and for blocking the internet for the other applications in the IaaS. The use case for the other clients was also similar. It was put in there for holding up traffic and filtering traffic.

It provided ease of maintenance. If a new firewall was needed, we only had to run the pipelines for this. So, the maintenance was very easy.

It reduced work by 30%. It saved maintenance and operational costs by 15%.

The HTTPS Inspection feature was useful where HTTPS traffic is scanned before it goes over the line.

Its interface is okay, and it is very adjustable. I like IP groups and other things that you can do with it.

Rules management could be better. You have all kinds of rules, and they can put something better in place there.

There should be better monitoring and logging. Currently, it is put in Sentinel. It should be more seamless and from the interface.

It has been about two years.

Its stability is very good.

It is scalable. It was used across multiple regions. One of them had about 3,000 users, and the other one had about 5,000 users.

Their technical support is good. I would rate them an eight out of ten.

Positive

We used a different solution. We had on-prem Palo Alto. 

I was involved in its setup. I deployed it with Bicep pipelines. The maintenance was also via pipelines. Its setup was straightforward, especially with Terraform and Bicep. It was done in 10 minutes to 15 minutes.

It is a one-man job, but that is not our advice. It is better to have three or four people who have knowledge of the firewall system. If you have only one person and that person is sick, then you have a problem. You block the internet, and sometimes, you have to open it. So, it is better to do it with a small team. If there are a lot of changes, two to three people should be fine.

In terms of maintenance, there is only the maintenance of new ports or IP addresses, but that's operational management. That's not firewall management as such.

Our clients have seen about 25% return on investment.

It is expensive, especially with the premium functions.

For one of the clients, it was very expensive. You have to use it more at an enterprise level, and there, it was not at an enterprise level. So, it was very costly, but security-wise, it was a very wise decision to use it that way. 

The solution of Palo Alto and the other one, whose name I don't remember, were IaaS-based, but we wanted a platform as a service, and Azure Firewall is that.

If you have an ecosystem based on, for instance, Palo Alto, it would be better to use a Palo Alto firewall because they have one way of working and one interface, but if you have a greenfield deployment or your on-prem is old or legacy, then I would advise going for Azure Firewall.

Its basic features were enough for us. The single sign-on experience was also okay. We had no problem with that. If required, we can use Privileged Identity Management or MFA. All these features are there within Azure.

I would rate it an eight out of ten.

It is associated with our web resources, such as PaaS applications. I don't use it that much. I spend way more time working with function apps or something else on the Azure platform.

I am using its latest version.

I can easily configure it.

You have to have a defined IP range within your network to associate it with your network. The problem is you have to plan ahead of time if you expect to use the firewall in the future so that you don't have to reconfigure your subnets or that specific IP range. Other than that, I don't any issues. I use it for basic configuration for a single application, so I really don't try to leverage it for multiple applications where I might find some complexity or challenges.

I have been using this solution for four years.

I don't get into any kind of real scale configuration. There might be bugs that I don't know because I just use the general configuration.

I can't say about scalability, but we have 20,000 employees.

I have not used their technical support.

Most of the time, I've used Azure Firewall for cloud services. We also have AWS, and then, of course, we have hardware firewalls on-premise, but I haven't worked with anything.

It is pretty straightforward for what I'm using it for.

I would rate Azure Firewall a seven out of 10.

Azure Firewall's feature that I have found most valuable is its scalability.

In terms of what could be improved, it lacks a couple of features which are available in the other marketplace products, but it is stable and it performs most of the basic functions that are expected from a normal firewall.

When we deployed we did not have a centralized management of multiple firewalls. Right now, with Azure Firewall, we cannot have a normal inbound traffic flow. For inbound, Microsoft suggests using application gateways, so the options are very limited. I cannot use this firewall as an intermediate firewall because of the limitations, and I cannot point routing to another firewall. So if I want to use back-to-back firewall architecture in my environment, I cannot use Azure Firewall for that type of configuration either. 

Other features I would like to see are intrusion prevention, URL filtering, category-based URL filtering and other advanced features.

Overall, the configuration can definitely be improved.

In terms of the overall product architecture, if the management and the architecture of the product could support back-to-back firewall architectures so that I could use Azure Firewall in combination with another firewall, that would be one point which would help this product be used more and in a better way.

Again, if the Azure Firewall could be accommodated as a back-to-back firewall, meaning if it could work as a firewall which handles the inbound traffic from the internet, which is an NVA, or a network virtual appliance, and we could reroute the traffic to Azure Firewall, that would be good. But as of now, there is no routing options in Azure Firewall.

I have been using Azure Firewall for eight months.

We are not using the latest version since we deployed it quite some time back.

Azure Firewall is quite stable.

We have thousands of people using it.

Technical support is okay.

Azure Firewall has an easy installation.

I would only recommend Azure Firewall depending on the requirements. If it is an enterprise that has basic requirements and needs to do packet filtering and a certain level of intrusion prevention, so for the level of IP whitelisting, it's a good product.

It is easy to manage and it is scalable.

On a scale of one to ten, I would give Azure Firewall a six because of the configuration issue.

In terms of NAT configuration, the configuration management is one issue. Another issue is intrusion prevention with the NAT configuration and the URL category-based filtering features. The ease of manageability and the ease of configuration of these features could be easier.

We mostly utilize the solution for effectively controlling the networks.

The ability to provide better control of the traffic is the solution's most valuable aspect.

The solution is stable.

The solution can autoscale.

The initial setup is pretty easy.

Technical support has been good to us so far.

The solution isn't missing features per se.

Azure should be able to work better as a balancer also, instead of just being a firewall. It should have a wider mandate.

There should be more use cases, specifically use cases for domains for, for example, healthcare and specific use cases for web applications.

I've been using the solution for one year.

The stability of the solution is good. We haven't had any issues. It's a managed service.

The solution is autoscalable. It scales based on your deployment and/or based on your loads, due to the fact that it's a managed service. A company that expects to expand shouldn't have a problem scaling with this solution.

We have about 50-100 users on the solution currently. We may increase usage in the future.

We've had some experience with technical support from Azure. We've found them to be quite good and are satisfied with the level of service that's been provided. I would say they ar knowledgeable and responsive to our queries.

Before Azure Firewall, I used to work on a VPN-based firewall. 

The solution doesn't have a complex installation process. It's pretty straightforward to implement. When we went forward with the solution we didn't face any setup issues.

Our initial deployment took about three months, and, now that it's a managed service, we've handed the deployment over to them.

I'm not sure how many staff members we used for deployment and how many handle any maintenance aspects.

While we handled the initial implementation, we get Azure to handle the deployments for us. We didn't use a reseller or a consultant to assist with the deployment.

We're just a customer at this time. We don't have any kind of special business relationship with Azure.

I'm not sure which version of the solution I'm currently using is.

I'd rate the solution seven out of ten overall. It works well for us in terms of controlling traffic and if is stable and can scale, however, there should be more use cases available.

On-premise to cloud <-> Cloud to on-premise

Managed service.

Scalability, multi-zone and FQDN TAgs.

In a future release, it could be empowered by combining with Azure Private DNS and Front Door.

We've been using the solution for 1 year

The solution is very stable. When comparing it to other environments, it's actually quite impressive.

The solution is scalable.

We deal with technical support on a regular basis. I'd rate the service we've received ten out of most of the support tickets. 

We use several solutions.

Unfortunately, I don't handle the finances or payments for the solution, so I can't compare to others.

FortiGate - also nice solution...

We've used both the on-premises as well as the cloud deployment models. We also occasionally use a hybrid model. During migrations, we use hybrids. Once the migration is done, we move onto the full cloud and pass if over to private cloud or have public access as necessary.

The Azure firewall is prioritized as it is managed solution and does not require any infrastructure base (backbone) hardware support.

Azure Firewall makes up part of our security solution. We use it internally but we are a consulting company and also advise our customers on the use of it.

The most valuable feature is the integration into the overall cloud platform. The orchestration is very easy using automation with APIs and scripts.

Currently, it only supports IP addresses, so you have to be specific about the IPs that are in your environment. They could add specific instance names, such as an instance ID to be specified or a resource group.

Tagging is supported but not on the instances, which is something that could be improved.

The selection of the internal resources into the ruleset could be improved.

Support for layer-seven application filtering should be added because it is not there yet, at all.

It is capable of filtering on the fully qualified domain name (FQDN) but it cannot do the more advanced features that Palo Alto or FortiGate can do, where you can grant or limit access to Facebook but you don't need to specify the domain name because it knows about Facebook as an application. You should be able to simply say "Allow Facebook", but also have it block Facebook Chat, for example. Having control over those specific application protocols within the traffic would be an improvement.

The documentation from Microsoft could be slightly improved, although it could be related to the fact that the product is quickly changing. It may be a case that the documentation updates are of a lower priority than the product itself.

I have been using the Azure Firewall for about one year.

The stability is excellent.

The scalability is very good and you don't have to think about sizing, as in the case of a traditional firewall where you have to think about the throughput. With Azure Firewall, it scales automatically.

We have customers ranging in size from small to enterprise-level organizations. One of them is a large company with 40,000 users on Azure Firewall.

We use the customer support that our customer has access to. If they have enterprise support then we use it, whereas if they do not then we use standard support.

Personally, my experience with Microsoft support has been very good. Their professionals are very quick to respond and they have good feedback. They also have very good support forums and the documentation is fairly good. 

I have experience with similar solutions by Palo Alto and Fortinet. With the inclusion of more advanced features, Azure Firewall will be on par with these products.

The initial setup is straightforward and very easy.

My advice to anybody who is considering this solution is to be clear about your requirements. It is critical to know what the capabilities of the firewall are, as well as what is nice to have when it comes to filtering and protecting the environment.

There are different threat profiles when it comes to protecting user traffic. For example, in a VDI environment, where the users are in the cloud, generating traffic and browsing the internet on virtual machines, Azure might not be the best fit. On the other hand, to protect the workloads on servers like application servers or database servers, it's a perfect fit. So, it is important to be clear about the use cases in order to determine whether it is suitable.

This is a relatively new product but Microsoft is really fast in their development and you never know what they are planning. In perhaps six months, I might rate it a ten out of ten. Nonetheless, at this time there is still some room for improvement.

I would rate this solution a nine out of ten.