Azure Firewall Room for Improvement
Senior Security Operations and Cyber Risk Analyst at a financial services firm with 51-200 employees
We had an instance where it wasn't processing the rules and we had to engage Microsoft to resolve that issue. Microsoft Support needs to improve its response time.
For larger enterprises, they need to adjust the scalability. This is the only issue that I'm have found that it attributed to the two weeks of downtime we had experienced.
They need to offer either a scaled-up or scaled-out version or versions for larger enterprise companies.
This would greatly improve the solution.View full review »
Group Cloud Competency Center Manager at a transportation company with 10,001+ employees
It is a cloud service, but the lending speed for each region is not always the same. For example, in China, the speed is slow. They need to think about how to make sure that the service pace or speed is always the same in all regions. It would be a great improvement if they can provide the same pace worldwide.
It is still not at par with traditional next-generation firewalls. It is still behind other network and firewall vendors such as Palo Alto. There are other advanced and leading products in the market, and Azure Firewall is still a follower. So, they can consider investing more in this product and make it a market leader like Azure.View full review »
Currently, it only supports IP addresses, so you have to be specific about the IPs that are in your environment. They could add specific instance names, such as an instance ID to be specified or a resource group.
Tagging is supported but not on the instances, which is something that could be improved.
The selection of the internal resources into the ruleset could be improved.
Support for layer-seven application filtering should be added because it is not there yet, at all.
It is capable of filtering on the fully qualified domain name (FQDN) but it cannot do the more advanced features that Palo Alto or FortiGate can do, where you can grant or limit access to Facebook but you don't need to specify the domain name because it knows about Facebook as an application. You should be able to simply say "Allow Facebook", but also have it block Facebook Chat, for example. Having control over those specific application protocols within the traffic would be an improvement.
The documentation from Microsoft could be slightly improved, although it could be related to the fact that the product is quickly changing. It may be a case that the documentation updates are of a lower priority than the product itself.View full review »
It needs a lot of improvement, especially on intruder detection. They are working hard on that.View full review »
Owner at a financial services firm with 1,001-5,000 employees
The interface could be improved, it's not very user friendly. They are now trying to compete with a new Chinese domestic public cloud provider which has more features. It's difficult to find the ports on the current interface, but it's easier with this new provider.
We're looking to provide a better routing, or something like an SD-WAN solution that can improve the user experience. I think that's something Azure can do as an additional feature. There are five Azure clouds: Two belong to the US government and one is worldwide. Then there is Germany Azure and China Azure. China Azure is barely able to communicate with the rest of the world, and that connectivity issue needs to be looked at in detail and a solution found.
Compared to FortiGate and Palo Alto, Azure Firewall is not very flexible. There are multiple options for VPNs and the other features, and most of my clients are implementing third-party products that they are getting from the marketplace and other vendors.
The reporting, logging, and monitoring features, as well as the flexibility of the policies, need to be improved.
The visibility is much less with Azure Firewall than it is with other products.View full review »
Network Engineer at a leisure / travel company with 10,001+ employees
In terms of what could be improved, it lacks a couple of features which are available in the other marketplace products, but it is stable and it performs most of the basic functions that are expected from a normal firewall.
When we deployed we did not have a centralized management of multiple firewalls. Right now, with Azure Firewall, we cannot have a normal inbound traffic flow. For inbound, Microsoft suggests using application gateways, so the options are very limited. I cannot use this firewall as an intermediate firewall because of the limitations, and I cannot point routing to another firewall. So if I want to use back-to-back firewall architecture in my environment, I cannot use Azure Firewall for that type of configuration either.
Other features I would like to see are intrusion prevention, URL filtering, category-based URL filtering and other advanced features.
Overall, the configuration can definitely be improved.
In terms of the overall product architecture, if the management and the architecture of the product could support back-to-back firewall architectures so that I could use Azure Firewall in combination with another firewall, that would be one point which would help this product be used more and in a better way.
Again, if the Azure Firewall could be accommodated as a back-to-back firewall, meaning if it could work as a firewall which handles the inbound traffic from the internet, which is an NVA, or a network virtual appliance, and we could reroute the traffic to Azure Firewall, that would be good. But as of now, there is no routing options in Azure Firewall.
The solution doesn't offer the same capabilities of Fortinet. It should offer intrusion prevention and advance filtering. These are two very useful features offered on Fortinet that Azure lacks.
There's already a web application firewall for detection, however, it isn't as useful as it could be. They should work to improve it.
In terms of prevention, I don't think it's any better than just a regular firewall. They need to add more security features to make it more powerful and more secure.View full review »
Cloud Architect at a pharma/biotech company with 10,001+ employees
The solution isn't missing features per se.
Azure should be able to work better as a balancer also, instead of just being a firewall. It should have a wider mandate.
There should be more use cases, specifically use cases for domains for, for example, healthcare and specific use cases for web applications.View full review »
Technical Architect at a tech services company with 10,001+ employees
It would be nice to be able to create groupings for servers and offer groups of IP addresses.
I would, also, like to see the manager built into the solution more, such as concerns Azure Firewall Manager.
I would also like to see some of the items that come with the preview version for the next version with IDS be addressed, as well as the ability to categorize websites, which is done with external traffic.
Manager - Network & Security at a tech services company with 501-1,000 employees
This solution is not mature when it comes to handling perimeter traffic like internet browsing. It is lacking in some of the security features. Palo Alto and Fortinet are better for this.
In the next release, I would like to see the inclusion of more next-generation firewall features.View full review »
If I had to pick one area that needs improvement it would be the antivirus functionality, because it doesn't scan traffic for malware. It needs TLS inspection.View full review »
They can improve the pricing of Azure Firewall.View full review »
Cloud Architect at a financial services firm with 1,001-5,000 employees
You have to have a defined IP range within your network to associate it with your network. The problem is you have to plan ahead of time if you expect to use the firewall in the future so that you don't have to reconfigure your subnets or that specific IP range. Other than that, I don't any issues. I use it for basic configuration for a single application, so I really don't try to leverage it for multiple applications where I might find some complexity or challenges.View full review »
The threat intelligence part could be better. I don't see why our customers have to get an additional solution with Azure Firewall. It would be great if they made it on par with Palo Alto.View full review »
There are a number of things that need to be simplified, but it's mostly costs. It needs to be simplified because it's pretty expensive.
Consultant at a manufacturing company with 1,001-5,000 employees
I think that their customer support could be improved with a faster response time.
I think the product could be made more customizable, I'd like to see that in the next release.