8. + Azure Firewall Management
Options
• Firewall Rules (Classic) Management
• Management via each Azure Firewall Resource itself
• Can be said as local management
• Only supports Azure Firewall Standard
• Azure Firewall Manager (Firewall Policy)
• Centralized Management for multiple Azure Firewall
• Azure Firewall Premium only supports Azure Firewall Manager Central
Management options
PACKET SYSTEMS
CONFIDENTIAL
8
16. + Azure Firewall vs 3rd Party
NVA
PACKET SYSTEMS
CONFIDENTIAL
16
17. + Azure Firewall vs NSG
• Azure Firewall is different from Network Security Group (NSG)
• Complement each others to provide “Defense-in-Depth”
• Network security groups provide distributed network layer
traffic filtering to limit traffic to resources within virtual networks
in each subscription
• Azure Firewall is a fully stateful, centralized network firewall
as-a-service, which provides network- and application-level
protection across different subscriptions and virtual networks.
PACKET SYSTEMS
CONFIDENTIAL
17
20. + Key Advantages and Disadvantages
Azure Firewalls vs NVAs (NGFW)
• Advantages:
• Built-in HA with Cloud Scale
• Easy Deployment
• 99.99% SLA Availability
• Zero Maintenance Service Model (No updates or upgrades)
• Azure Specialization (For example Service Tags, FQDN Tags)
• Native Azure Sentinel Integration
• Disadvantages:
• Limited NGFW L7 Capability for now. Only IPS and URL Filtering supported.
Sandboxing and Application Control not yet supported (March 2022)
• No direct IPSec / SSL VPN Support (Needs Azure VPN GW)
• No Traffic Shaping / QoS
• No Geolocation Blocking features
• No File-type blocking
• Listed as Challenger in Gartner Magic Quadrant Network Firewalls 2021
• Not supported Inbound TLS Inspection (Need Azure Application Gateway)
PACKET SYSTEMS
CONFIDENTIAL
20
21. + Key Advantages and Disadvantages of
NVAs NGFW vs Azure Firewalls
• Advantages:
• State-of-the-art Next Generation Firewall Capabilities (IPS, AntiMalware, URL
Filtering, Sandboxing, etc)
• Leader in the industry (Palo Alto, Fortinet, Checkpoint)
• Supports features such as Geoblocking, QoS, Central Management (Onprem
and Cloud), File-type blocking
• Customer can manage onprem and oncloud NGFW from a single pane of
glass
• Direct IPSec and SSL VPN capabilities (no need to depend on Azure VPN
GW)
• Disadvantages:
• Scalability can be complex (Complex Iaas Deployment)
• Additional cost on vm licensing and subscription (PAYG / BYOL)
• Additional cost on Azure Resource Consumption (Compute, Storage, Load
Balancer if HA is required)
• Customer responsibility to manage and maintain 3rd Party NVAs
PACKET SYSTEMS
CONFIDENTIAL
21
22. + Use Azure Firewall When..
• Flexible Scalability and High Availability is top priority
• Autoscale with usage
• Simpler deployment (No need additional VM, autoscale group, routing
manipulation, load balancer etc)
• Single Microsoft Azure Ecosystem
• Simpler Security Requirements (No need advanced capability
eq: Sandboxing, Zero Day Malware analysis, Application
Control, etc)
• Firewalls are not used as VPN Gateway or Inbound TLS
Inspection (Reverse Proxy)
PACKET SYSTEMS
CONFIDENTIAL
22
23. + Use 3rd Party NVA When…
• Security consideration is priority
• 3rd Party NVA (vendor dependent) supports advanced security
capability such as Application Control, User aware rules, traffic
shaping, sandboxing, zero day malware analysis, inline machine
learing, etc)
• Scalability and High Availabity can be architected well
(Autoscale group if needed, BYOL/PAYG License consideration,
routing complexity, availability zone design, etc)
• Inbound TLS Inspection, VPN or SDWAN Termination is
needed in single/ less solution
• Centralized Management is needed between existing on
premise firewall and firewall on cloud
PACKET SYSTEMS
CONFIDENTIAL
23
24. + Sample Objection from 3rd Pparty NVA
(Cisco)
PACKET SYSTEMS
CONFIDENTIAL
24
26. + What’s Next in the Future?
PACKET SYSTEMS
CONFIDENTIAL
26
27. + TERIMA KASIH
www.packet-systems.com
PT Packet Systems Indonesia
The Manhattan Square, Mid Tower 25/f
Jl. TB Simatupang kav. 1s
Jakarta 12560, Indonesia
PACKET SYSTEMS
CONFIDENTIAL
27