Azure Firewall Reviews

We used Azure Firewall to secure our cloud layer and integrate our on-prem servers. We also used it to build the QDM level for integration. Azure Firewall offers multiple SKUs, including Standard and Premium. I have experience with the Standard SKU, but not the Premium one.

Overall, I had a good experience with Azure Firewall, but there are some downsides. 

FQDN integration, especially the ability to integrate with Azure Active Directory domain services.

Azure Firewall can integrate with Azure services to access application data. I've also integrated it with Azure Monitor.  

From an integration perspective, it's very helpful. We can monitor both network and cloud traffic, which is a definite plus.

There are some downsides. One is the lack of built-in VPN capability. You need a separate Azure VPN Gateway for that functionality. Many customers compare Azure Firewall to their existing on-premises firewalls, which often have VPN capabilities. 

Additionally, Azure Firewall has some limitations in terms of threat signature coverage. There is a separate service for threat signature tuning, but it's worth noting this potential downside.

I would appreciate it if Azure Firewall included built-in VPN capabilities. It would be beneficial if Azure Firewall could replicate features that are available in other firewalls.

I used it for one and a half years.  

I do have some experience with other Azure services, though I wouldn't consider myself an expert.

I haven't experienced any stability issues or downtimes.

I work with both SMBs and enterprises.

I haven't needed to contact Microsoft so far.

I work with clients from multiple sectors, including private and government. We gather their requirements and provide solutions tailored to their needs.

Sometimes, we have to choose between Azure Firewall and third-party firewall options on Azure.

I haven't worked with other cloud firewalls extensively, but Azure Firewall compares favorably in terms of features. People can compare it to platforms like AWS or GCP to see the feature differences.

It's straightforward. If you have experience with Azure, it's not complex at all.

The deployment time depends on the requirements. We can deploy the firewall itself in about half an hour to 20 minutes. The configuration time will vary based on the customer's specific needs. The provisioning process is quick because it integrates with multiple roles.

The configuration process is straightforward. There is nothing complex. 

It is affordable.

I would rate it an eight out of ten, where one is the worst and ten is the best.

One of the notable advantages of Azure Firewall is its user-friendly interface, which closely resembles or shares similarities with other Azure components. The abundance of well-documented resources, extensive help features, and a wealth of examples further enhance the usability of Azure Firewall.

It could potentially be more cost-effective. There is room for further integration of AI into the system.

I have been working with it for approximately two years.

It ensures reliable availability.

At my previous workplace, we extensively deployed Azure Firewall with four units, effectively serving the security needs of a sizable user base exceeding a thousand individuals.

Previously, we utilized Fortinet, but we made the transition to Azure because  Microsoft introduced advanced features and Next Generation functionalities into Azure Firewall, and we anticipate a seamless shift to Microsoft Azure, leveraging the convenience of managing multiple products effortlessly through it.

Overall, I would rate it eight out of ten.

I used it for two of my clients. One of the clients used it for Azure Virtual Desktop implementation and for blocking the internet for the other applications in the IaaS. The use case for the other clients was also similar. It was put in there for holding up traffic and filtering traffic.

It provided ease of maintenance. If a new firewall was needed, we only had to run the pipelines for this. So, the maintenance was very easy.

It reduced work by 30%. It saved maintenance and operational costs by 15%.

The HTTPS Inspection feature was useful where HTTPS traffic is scanned before it goes over the line.

Its interface is okay, and it is very adjustable. I like IP groups and other things that you can do with it.

Rules management could be better. You have all kinds of rules, and they can put something better in place there.

There should be better monitoring and logging. Currently, it is put in Sentinel. It should be more seamless and from the interface.

It has been about two years.

Its stability is very good.

It is scalable. It was used across multiple regions. One of them had about 3,000 users, and the other one had about 5,000 users.

Their technical support is good. I would rate them an eight out of ten.

Positive

We used a different solution. We had on-prem Palo Alto. 

I was involved in its setup. I deployed it with Bicep pipelines. The maintenance was also via pipelines. Its setup was straightforward, especially with Terraform and Bicep. It was done in 10 minutes to 15 minutes.

It is a one-man job, but that is not our advice. It is better to have three or four people who have knowledge of the firewall system. If you have only one person and that person is sick, then you have a problem. You block the internet, and sometimes, you have to open it. So, it is better to do it with a small team. If there are a lot of changes, two to three people should be fine.

In terms of maintenance, there is only the maintenance of new ports or IP addresses, but that's operational management. That's not firewall management as such.

Our clients have seen about 25% return on investment.

It is expensive, especially with the premium functions.

For one of the clients, it was very expensive. You have to use it more at an enterprise level, and there, it was not at an enterprise level. So, it was very costly, but security-wise, it was a very wise decision to use it that way. 

The solution of Palo Alto and the other one, whose name I don't remember, were IaaS-based, but we wanted a platform as a service, and Azure Firewall is that.

If you have an ecosystem based on, for instance, Palo Alto, it would be better to use a Palo Alto firewall because they have one way of working and one interface, but if you have a greenfield deployment or your on-prem is old or legacy, then I would advise going for Azure Firewall.

Its basic features were enough for us. The single sign-on experience was also okay. We had no problem with that. If required, we can use Privileged Identity Management or MFA. All these features are there within Azure.

I would rate it an eight out of ten.

I have deployed Azure Firewall for a couple of my clients. They primarily use it for protecting their workloads and limiting incoming connections.

I also have a subscription but I use it primarily for testing.

The most valuable feature is threat intelligence. It is based on filtering and can identify multiple threats. It can easily detect threats and I have customers that have experienced this.

The malware signatures are updated automatically, which is helpful for new customers.

Compared to FortiGate and Palo Alto, Azure Firewall is not very flexible. There are multiple options for VPNs and the other features, and most of my clients are implementing third-party products that they are getting from the marketplace and other vendors.

The reporting, logging, and monitoring features, as well as the flexibility of the policies, need to be improved.

The visibility is much less with Azure Firewall than it is with other products.

I have been working with Azure Firewall for two years.

This is a firewall that I implement for my SMB customers. For example, one of my recent deployments was to a user base of between 300 and 500 people. In fact, it was their DR site, so there was no regular user traffic. The real-time users enter that site typically for maintenance.

 My enterprise clients normally choose to implement SonicWall NSV.

I have not had the opportunity to fully test the scalability but I can't see any limitations to it at this time.

I have opened a couple of cases with Azure and the technical support was fine. There were no issues with it.

I have experience with several other firewalls including FortiGate and Palo Alto.

Another product that I have sold to my enterprise customers is SonicWall NSV.

Compared to other firewall products, the setup is complex. I have faced problems setting up the DNAT, and there are some issues with setting up the certificates. I have also had trouble with service tag issues.

The basic deployment takes one day or two days at the maximum. The fine-tuning, where we have to monitor and identify the proper traffic, takes place over two or three weeks. Fine-tuning is an extensive part of it. It is important that the configuration is set up correctly.

We deploy this solution for our customers but they are responsible for the fine-tuning to their environment. I deploy it for our clients but I have another colleague who does it, as well.

Overall, this is a good product and we will continue working with it.

I would rate this solution a nine out of ten.

We are currently working with Microsoft, trying to develop a new solution which is based on VeloCloud. It's an SD-WAN solution. This product has not been launched in China yet and we still have some work to do. I'm the company owner and five of my team use Azure Firewall. It's a startup team and I work with Microsoft directly.  

The most valuable features of the product are its great security and connectivity. 

The interface could be improved, it's not very user friendly. They are now trying to compete with a new Chinese domestic public cloud provider which has more features. It's difficult to find the ports on the current interface, but it's easier with this new provider. 

We're looking to provide a better routing, or something like an SD-WAN solution that can improve the user experience. I think that's something Azure can do as an additional feature. There are five Azure clouds: Two belong to the US government and one is worldwide. Then there is Germany Azure and China Azure. China Azure is barely able to communicate with the rest of the world, and that connectivity issue needs to be looked at in detail and a solution found.

I've been using this product for three years. It's an online platform so you're always getting the latest version. 

It's a stable product. I've recently spent a lot of time on Palo Alto Firewalls and compared to that I would say that Azure Firewall is still a better firewall. They provide more and more features like SD-WAN or the cloud standard box feature.

I'm satisfied with the technical support overall. I generally chat with the Microsoft team on the phone. 

I'm still using Palo Alto, Cisco ASA, Fortinet, Check Point and Juniper. Basically I use all of them. For small businesses with one standard, though, I would recommend Azure Firewalls. It's quite simple and easy to implement the whole security policy. For medium and large enterprise companies, however, they already have their on-premise firewall devices implemented. Users are trying to centralize their firewall security management and they prefer it to using virtualized firewalls like Checkpoint Virtual Firewall or Fortinet Virtual Firewall. That way, they can leverage their user technology capability, and try using a single interface to manage those devices. 

From the virtual machine perspective, it's quite easy to set up. You can choose the image file from the public market, and then you can setup. However, the account, the Microsoft Azure identity, the whole creation process was very complex and it is not that user friendly. Users usually use their Azure ID, as well as sometimes providing the live ID. That's a second ID, and it confuses people.

The network firewall is a complex project, you have to review all the requirements. It's possible that sometimes the Azure Firewall won't be able to support some things because they customize their applications and they may not meet with the Azure Firewall's features. Each user has unique requirements on shaping or manipulating network traffic. I wouldn't recommend any product without doing the research.

I would rate this product an eight out of 10.

When we started using Azure Firewall, we learned quickly that it couldn't do much. As I remember, it was essentially a layer 3 or layer 4 firewall that couldn't distinguish recognized applications and things like that. But it was inexpensive compared to the Palo Alto stuff we were looking at, so we wound up staying with the firewall. Mainly it was just inspecting ports between virtual machines.

Azure Firewall definitely needs a broader feature base. It should be able to go all the way up to layer 7 when looking at applications and things like that. It needs to be comparable to what you would get from Cisco, Palo Alto, Checkpoint, or any of those guys. If it's going to be a firewall, it needs to be competitive. From a security standpoint, it's not any better than loading an IP table in a Linux box. In fact, Linux may even be better in that sense

I've been using Azure Firewall for probably about a year.

Azure Firewall wasn't scalable at all, but it did what it's supposed to do.

I honestly don't remember interfacing a lot with Azure support. I think that we were dealing with a third party, maybe. But I've been dealing with AWS for the last year, and it's a totally different experience in a good way. Their support is outstanding.

Setting up Azure Firewall was easy because all you were doing was configuring source, destination, port, and action. However, there was something weird. You have to number your rules set, and depending on your numbering system, that's how you would have to apply the filtering of the logic of the policy. And in that sense, it's a little bit quirky. I don't think that most firewalls work that way. It just reads the policy, and the algorithm is based on it filtering down through the policies until it hits a truth or a match. And then it makes a decision based on that.

Azure's cost-effectiveness is its major advantage. 

Each company will prioritize what it wants to work on. Azure may outperform AWS in some areas, but after working with the two platforms for roughly the same amount of time, I've found AWS friendlier and more sophisticated overall. AWS just seems to be a better platform for me, honestly.

I would rate Azure Firewall one out of 10. I give it the worst rating because security is so important. However, it depends on your security goals. But you have to look at what's out there and what you typically get out of a box. Even for a cheap application for your computer, Azure Firewall just isn't delivering. It doesn't have any personality at all or functionality even. I definitely wouldn't recommend it to anyone, but I would have to go back and visit it because it's been a year now. The features are so limited that it's pretty much a protocol-filtering product. 

Honestly, I think any serious security-minded entity will bypass Azure Firewall and look at some of the images from the third parties. I guess it's suitable for small outfits that aren't serious about security but want some basic protection. By the time I walked away, I  had spent a lot of hours on it, and I spent more time in my job trying to find a solution and pick the right one. I did everything to learn the firewall's feature set. I finally talked with someone at Microsoft who said, "We know what you want and what you're trying to do, but we're just not there yet."

They just told me to stay tuned. I got the impression Azure Firewall is a very immature product that would probably improve over time. But, at that moment, I didn't think it was unready. It's just that products are trying to achieve different things. You can't have all the horses in all places. It's one of those things where I felt like it would have to be some acquisition or complete outsourcing of the security component to somebody specialized in the area who can sell it as a firewall.

Basically, our organization is using the solution to inspect the traffic. I'm using the solution as the main defense system prior to de-traffication on the NGX layer (layer seven). Then, of course, we're forwarding to the Kubernetes cluster.

The solution has many useful features. For example, the solution allows users to create virtual IP addresses. 

The solution doesn't offer the same capabilities of Fortinet. It should offer intrusion prevention and advance filtering. These are two very useful features offered on Fortinet that Azure lacks.

There's already a web application firewall for detection, however, it isn't as useful as it could be. They should work to improve it.

In terms of prevention, I don't think it's any better than just a regular firewall. They need to add more security features to make it more powerful and more secure.

I've been using the solution for six months so far. It hasn't been too long.

The stability of the solution is excellent. It hasn't failed. There are no bugs, glitches, or crashes. It's reliable.

Azure uses an on-premises environment. I wouldn't use it for scalability purposes. In terms of scalability, our organization is much more inclined towards Fortinet's Fortigate virtual appliance rather than the Azure Firewall.

We provide services to our clients and help them maintain the product.

However, we have contacted technical support several times. We've submitted tickets and dealt with technical support directly. Occasionally, it takes a long period of time for them to get back to us. It does depend on the severity of the issues. In terms of feedback and output they've provided us, we have been very satisfied. They can just be a little slow.

We use both Azure Firewall and Fortinet solutions, including Fortigate. I personally find that Azure doesn't offer the same capabilities. Fortinet is better.

I'm not sure of the exact pricing, however, I do believe it is less expensive than Fortigate.

For Fortinet, we pay around $5,000 per year. It offers more, however. It, for example, also improves the intrusion detection system. We bought a Fortinet appliance two years ago and Azure Firewall didn't exist at the time.

We're Azure partners and have an enterprise agreement with the company, however, we may be switching. We also have a dedicated Account Manager with the company.

I'd rate the solution seven out of ten. It's missing a few capabilities our organization would really like to see.