Firewall Policy Rule Collection Group

The following arguments are supported:

• name - (Required) The name which should be used for this Firewall Policy Rule Collection Group. Changing this forces a new Firewall Policy Rule Collection Group to be created.
• firewall_policy_id - (Required) The ID of the Firewall Policy where the Firewall Policy Rule Collection Group should exist. Changing this forces a new Firewall Policy Rule Collection Group to be created.
• priority - (Required) The priority of the Firewall Policy Rule Collection Group. The range is 100-65000.

• application_rule_collection - (Optional) One or more application_rule_collection blocks as defined below.
• nat_rule_collection - (Optional) One or more nat_rule_collection blocks as defined below.
• network_rule_collection - (Optional) One or more network_rule_collection blocks as defined below.

A application_rule_collection block supports the following:

• name - (Required) The name which should be used for this application rule collection.
• action - (Required) The action to take for the application rules in this collection. Possible values are Allow and Deny.
• priority - (Required) The priority of the application rule collection. The range is 100 - 65000.
• rule - (Required) One or more application_rule (application rule) blocks as defined below.

A network_rule_collection block supports the following:

• name - (Required) The name which should be used for this network rule collection.
• action - (Required) The action to take for the network rules in this collection. Possible values are Allow and Deny.
• priority - (Required) The priority of the network rule collection. The range is 100 - 65000.
• rule - (Required) One or more network_rule (network rule) blocks as defined below.

A nat_rule_collection block supports the following:

• name - (Required) The name which should be used for this NAT rule collection.
• action - (Required) The action to take for the NAT rules in this collection. Currently, the only possible value is Dnat.
• priority - (Required) The priority of the NAT rule collection. The range is 100 - 65000.
• rule - (Required) A nat_rule (NAT rule) block as defined below.

A application_rule (application rule) block supports the following:

• name - (Required) The name which should be used for this rule.
• description - (Optional) The description which should be used for this rule.
• protocols - (Optional) One or more protocols blocks as defined below. Not required when specifying destination_fqdn_tags, but required when specifying destination_fqdns.
• source_addresses - (Optional) Specifies a list of source IP addresses (including CIDR, IP range and *).
• source_ip_groups - (Optional) Specifies a list of source IP groups.
• destination_addresses - (Optional) Specifies a list of destination IP addresses (including CIDR, IP range and *).
• destination_urls - (Optional) Specifies a list of destination URLs for which policy should hold. Needs Premium SKU for Firewall Policy. Conflicts with destination_fqdns.
• destination_fqdns - (Optional) Specifies a list of destination FQDNs. Conflicts with destination_urls.
• destination_fqdn_tags - (Optional) Specifies a list of destination FQDN tags.
• terminate_tls - (Optional) Boolean specifying if TLS shall be terminated (true) or not (false). Must be true when using destination_urls. Needs Premium SKU for Firewall Policy.
• web_categories - (Optional) Specifies a list of web categories to which access is denied or allowed depending on the value of action above. Needs Premium SKU for Firewall Policy.

A network_rule (network rule) block supports the following:

• name - (Required) The name which should be used for this rule.
• protocols - (Required) Specifies a list of network protocols this rule applies to. Possible values are Any, TCP, UDP, ICMP.
• destination_ports - (Required) Specifies a list of destination ports.
• source_addresses - (Optional) Specifies a list of source IP addresses (including CIDR, IP range and *).
• source_ip_groups - (Optional) Specifies a list of source IP groups.
• destination_addresses - (Optional) Specifies a list of destination IP addresses (including CIDR, IP range and *) or Service Tags.
• destination_ip_groups - (Optional) Specifies a list of destination IP groups.
• destination_fqdns - (Optional) Specifies a list of destination FQDNs.

A nat_rule (NAT rule) block supports the following:

• name - (Required) The name which should be used for this rule.
• protocols - (Required) Specifies a list of network protocols this rule applies to. Possible values are TCP, UDP.
• source_addresses - (Optional) Specifies a list of source IP addresses (including CIDR, IP range and *).
• source_ip_groups - (Optional) Specifies a list of source IP groups.
• destination_address - (Optional) The destination IP address (including CIDR).
• destination_ports - (Optional) Specifies a list of destination ports. Only one destination port is supported in a NAT rule.
• translated_address - (Optional) Specifies the translated address.
• translated_fqdn - (Optional) Specifies the translated FQDN.

NOTE:

Exactly one of translated_address and translated_fqdn should be set.

• translated_port - (Required) Specifies the translated port.

A protocols block supports the following:

• type - (Required) Protocol type. Possible values are Http and Https.
• port - (Required) Port number of the protocol. Range is 0-64000.

‍