forked from erjosito/azure-firewall-rules-scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy patho365_rules.py
More file actions
270 lines (254 loc) · 11.4 KB
/
o365_rules.py
File metadata and controls
270 lines (254 loc) · 11.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
import requests
import argparse
import json
import re
# Helper functions
# True if any of the urls contained in the URL list contains a wildcard ('*')
def urls_contain_wildcard(urls):
for url in urls:
if '*' in url:
return True
return False
# Check whether URLs are correct:
# - Wildcard needs to be in the beginning of the string, not valid in the middle
def verify_urls(urls):
corrected_urls = []
for url in urls:
if url.find('*') <= 0:
corrected_urls.append(url)
else:
corrected_urls.append(url[url.find('*'):])
if args.verbose:
print("WARNING: URL {0} reduced to {1}".format(url, url[url.find('*'):]))
return corrected_urls
# Filters out IP addresses based on the args.ip_version parameter (can be ipv4, ipv6 or both)
def filter_ips(ip_list):
# For both versions, dont filter
if args.ip_version == 'both':
return ip_list
else:
filtered_ips = []
for ip in ip_list:
# For 'ipv4', return only those who match the IPv4 check
if is_ipv4(ip) and (args.ip_version == 'ipv4'):
filtered_ips.append(ip)
# For 'ipv6', return only non-IPv4 addresses (assumed to be ipv6 then)
elif (not is_ipv4(ip)) and (args.ip_version == 'ipv6'):
filtered_ips.append(ip)
# if args.verbose:
# print("DEBUG: IP list {0} filtered to {1}".format(str(ip_list), str(filtered_ips)))
return filtered_ips
# True if parameter is an ipv4 address
def is_ipv4(ip_address):
return bool(re.match(r"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:/\d{1,2}|)$",str(ip_address)))
# Arguments
parser = argparse.ArgumentParser(description='Generate an ARM template to create a Rule Collection Group in an Azure policy with rules that allow access to M365 endpoints.')
parser.add_argument('--policy-name', dest='policy_name', action='store',
default="o365policy",
help='Name for the Azure Firewall Policy. The default is "o365policy"')
parser.add_argument('--policy-sku', dest='policy_sku', action='store',
default="Standard",
help='SKU for the Azure Firewall Policy. Possible values: Standard, Premium (default: Standard)')
parser.add_argument('--do-not-create-policy', dest='dont_create_policy', action='store_true',
default=False,
help='If specified, do not include ARM code for the policy, only for the rule collection group. Use if the policy already exists.')
parser.add_argument('--rcg-name', dest='rcg_name', action='store',
default="o365",
help='Name for the Rule Collection Group to create in the Azure Firewall Policy. The default is "o365"')
parser.add_argument('--rcg-priority', dest='rcg_prio', action='store',
default="10000",
help='Priority for the Rule Collection Group to create in the Azure Firewall Policy. The default is "10000"')
parser.add_argument('--format', dest='format', action='store',
default="json",
help='Output format. Possible values: json, none')
parser.add_argument('--ip-version', dest='ip_version', action='store',
default="ipv4",
help='IP version of AzFW rules. Possible values: ipv4, ipv6, both. Default: ipv4')
parser.add_argument('--pretty', dest='pretty', action='store_true',
default=False,
help='Print JSON in pretty mode (default: False)')
parser.add_argument('--verbose', dest='verbose', action='store_true',
default=False,
help='Run in verbose mode (default: False)')
args = parser.parse_args()
# Variables
o365_endpoints_url = 'https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7'
app_rules = []
net_rules = []
rcg_name = args.rcg_name
rcg_prio = args.rcg_prio
rc_app_name = 'o365app'
rc_app_prio = "11000"
rc_net_name = 'o365net'
rc_net_prio = "10900"
# Get O365 endpoints from the Internet
response = requests.get(o365_endpoints_url)
if response.status_code == 200:
if args.verbose:
print ("DEBUG: File {0} downloaded successfully".format(o365_endpoints_url))
try:
# Deserialize JSON to object variable
o365_data = json.loads(response.text)
except Exception as e:
print("Error deserializing JSON content: {0}".format(str(e)))
sys.exit(1)
# Go through the rules
cnt_apprules = 0
cnt_netrules_ip = 0
cnt_netrules_fqdn = 0
cnt_endpoints = 0
for endpoint in o365_data:
cnt_endpoints += 1
# IP-based Net Rule
if ('ips' in endpoint):
cnt_netrules_ip += 1
if ('ips' in endpoint) and (('tcpPorts' in endpoint) or ('udpPorts' in endpoint)):
new_rule = {
'name': 'id' + str(endpoint['id']) + '-' + str(endpoint['serviceAreaDisplayName']).replace(" ", ""),
'ruleType': 'NetworkRule',
'sourceAddresses': [ '*' ],
'destinationAddresses': filter_ips(endpoint['ips']),
'destinationFqdns': []
}
if 'tcpPorts' in endpoint:
new_rule['ipProtocols'] = [ 'tcp' ]
new_rule['destinationPorts'] = str(endpoint['tcpPorts']).split(",")
else:
new_rule['ipProtocols'] = [ 'udp' ]
new_rule['destinationPorts'] = str(endpoint['udpPorts']).split(",")
net_rules.append(new_rule)
# Watch out for UDP+TCP!
if ('udpPorts' in endpoint) and ('tcpPorts' in endpoint):
print("WARNING: Endpoint ID {0} has both TCP and UDP ports!".format(endpoint['id']))
else:
if not ('ips' in endpoint):
print('ERROR: Endpoint ID {0} is IP-based with wildcards, but does not have ips'.format(endpoint['id']))
if not ('udpPorts' in endpoint):
print('ERROR: Endpoint ID {0} is IP-based with wildcards, but does not have udpPorts'.format(endpoint['id']))
if args.verbose:
print('DEBUG: endpoint:', str(endpoint))
# App Rule
elif ('tcpPorts' in endpoint) and ((endpoint['tcpPorts'] == "80,443") or (endpoint['tcpPorts'] == "443,80") or (endpoint['tcpPorts'] == "443") or (endpoint['tcpPorts'] == "80")):
cnt_apprules += 1
if 'urls' in endpoint:
new_rule = {
'name': 'id' + str(endpoint['id']) + '-' + str(endpoint['serviceAreaDisplayName']).replace(" ", ""),
'ruleType': 'ApplicationRule',
'sourceAddresses': [ '*' ],
'targetFqdns': verify_urls(endpoint['urls']),
'protocols': []
}
dst_ports = str(endpoint['tcpPorts']).split(",")
if '80' in dst_ports:
new_rule['protocols'].append({'protocolType': 'Http', 'port': 80})
if '443' in dst_ports:
new_rule['protocols'].append({'protocolType': 'Https', 'port': 443})
app_rules.append(new_rule)
else:
print('ERROR Endpoint ID {0} is web-based but does not have URLs'.format(endpoint['id']))
# FQDN-based Net Rule
else:
cnt_netrules_fqdn += 1
if ('urls' in endpoint) and (('tcpPorts' in endpoint) or ('udpPorts' in endpoint)):
new_rule = {
'name': 'id' + str(endpoint['id']) + '-' + str(endpoint['serviceAreaDisplayName']).replace(" ", ""),
'ruleType': 'NetworkRule',
'sourceAddresses': [ '*' ],
'destinationAddresses': [],
'destinationFqdns': endpoint['urls'],
}
if 'tcpPorts' in endpoint:
new_rule['ipProtocols'] = [ 'tcp' ]
new_rule['destinationPorts'] = str(endpoint['tcpPorts']).split(",")
else:
new_rule['ipProtocols'] = [ 'udp' ]
new_rule['destinationPorts'] = str(endpoint['udpPorts']).split(",")
net_rules.append(new_rule)
# Watch out for UDP+TCP!
if ('udpPorts' in endpoint) and ('tcpPorts' in endpoint):
print("WARNING: Endpoint ID {0} has both TCP and UDP ports!".format(endpoint['id']))
else:
if not ('urls' in endpoint):
print('ERROR: Endpoint ID {0} is IP-based with wildcards, but does not have urls'.format(endpoint['id']))
if not ('udpPorts' in endpoint):
print('ERROR: Endpoint ID {0} is IP-based with wildcards, but does not have udpPorts'.format(endpoint['id']))
if args.verbose:
print('DEBUG: endpoint:', str(endpoint))
##########
# Output #
##########
# Generate JSON would be creating an object and serialize it
if args.format == "json":
api_version = "2021-02-01"
azfw_policy_name = args.policy_name
arm_template = {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#',
'contentVersion': '1.0.0.0',
'parameters': {},
'variables': {
'location': '[resourceGroup().location]'
},
'resources': []
}
if not args.dont_create_policy:
resource_policy = {
'type': 'Microsoft.Network/firewallPolicies',
'apiVersion': api_version,
'name': azfw_policy_name,
'location': '[variables(\'location\')]',
'properties': {
'sku': {
'tier': args.policy_sku
},
'dnsSettings': {
'enableProxy': 'true'
},
'threatIntelMode': 'Alert'
}
}
arm_template['resources'].append(resource_policy)
resource_rcg = {
'type': 'Microsoft.Network/firewallPolicies/ruleCollectionGroups',
'apiVersion': api_version,
'name': azfw_policy_name + '/' + rcg_name,
'dependsOn': [],
'location': '[variables(\'location\')]',
'properties': {
'priority': rcg_prio,
'ruleCollections': []
}
}
if not args.dont_create_policy:
resource_rcg['dependsOn'].append('[resourceId(\'Microsoft.Network/firewallPolicies\', \'' + azfw_policy_name +'\')]'),
resource_net_rc = {
'ruleCollectionType': 'FirewallPolicyFilterRuleCollection',
'name': rc_net_name,
'priority': rc_net_prio,
'action': {
'type': 'allow'
},
'rules': net_rules
}
resource_app_rc = {
'ruleCollectionType': 'FirewallPolicyFilterRuleCollection',
'name': rc_app_name,
'priority': rc_app_prio,
'action': {
'type': 'allow'
},
'rules': app_rules
}
resource_rcg['properties']['ruleCollections'].append(resource_net_rc)
resource_rcg['properties']['ruleCollections'].append(resource_app_rc)
arm_template['resources'].append(resource_rcg)
if args.pretty:
print(json.dumps(arm_template, indent=4, sort_keys=True))
else:
print(json.dumps(arm_template))
elif args.format == "none":
if args.verbose:
print('DEBUG: {0} endpoints analized: {1} app rules, {2} FQDN-based net rules and {3} IP-based net rules'.format(str(cnt_endpoints), str(cnt_apprules), str(cnt_netrules_fqdn), str(cnt_netrules_ip)))
# print('DEBUG: Net rules:', str(net_rules))
# print('DEBUG: App rules:', str(app_rules))
else:
print ("Format", args.format, "not recognized!")