Introduction:
Azure Firewall Premium provides strong protection with a built-in Intrusion Detection and Prevention System (IDPS). It inspects inbound, outbound, and east-west traffic against Microsoft’s continuously updated signature set and can block threats before they reach your workloads.
IDPS works out of the box without manual intervention. However, in many environments administrators need the flexibility to override specific signatures to better align with operational or security requirements.
Common reasons include:
- Compliance enforcement – enforcing policies that require certain threats (such as High severity signatures) to always be blocked, directional tuning or protocol/category-based tuning.
- Incident response – reacting quickly to emerging vulnerabilities by enabling blocking for newly relevant signatures.
- Noise reduction – keeping informational signatures in alert mode to avoid false positives while still maintaining visibility.
In many environments, signature overrides are typically managed in one of two ways:
- Using the global IDPS mode
- Using the Azure portal to apply per-signature overrides individually
While these approaches work, managing overrides manually becomes difficult when thousands of signatures are involved. The Azure portal also limits the number of changes that can be applied at once, which makes large tuning operations time-consuming.
To simplify this process, this blog introduces an automation approach that allows you to export, filter, and apply IDPS signature overrides in bulk using PowerShell scripts.
A Common Operational Scenario:
Consider the following scenario frequently encountered by security teams:
Scenario
A security team wants to move their firewall from Alert → Alert + Deny globally to strengthen threat prevention. However, they do not want Low severity signatures to Deny traffic, because these signatures are primarily informational and may create unnecessary noise or false positives.
Example:
Signature ID: 2014906
Severity: Low
Description: INFO – .exe File requested over FTP
This signature is classified as informational because requesting an .exe file over FTP indicates contextual risk, not necessarily confirmed malicious activity.
If the global mode is switched to Alert + Deny, this signature may start blocking traffic unnecessarily.
The goal therefore becomes:
- Enable Alert + Deny globally
- Keep Low severity signatures in Alert mode
The workflow described in this blog demonstrates how to achieve this outcome using the IDPS Override script.
Automation Workflow:
The automation process uses two scripts to export and update signatures.
Workflow overview
Azure Firewall Policy
│
▼
Export Signatures (ipssigs.ps1)
│
▼
CSV Review / Edit
│
▼
Bulk Update (ipssigupdate.ps1)
│
▼
Updated Firewall Policy
Before implementing the workflow, it’s helpful to review the available IDPS modes and severity as seen below, very briefly.
IDPS Modes: Severity:
Prerequisites:
Now that we understand Azure Firewall IDPS concepts and have the context for this script, let's get started with the workings of the script itself. First of all, let us ensure that you are connected to your Azure account and have selected the correct subscription. You can do so by running the following command:
Connect-AzAccount -Subscription "<your-subscription-id>"
Ensure the following modules are installed which are required for this operation:
- Az.Accounts
- Az.Network
💡 Tip: You can check if the above modules are installed by running the following command:
Get-Module -ListAvailable Az* or check specific modules using this following commands:
Get-module Az.Network | select Name, Version, Path
Get-module Az.Accounts | select Name, Version, Path
If you need to install them, run the following command which downloads all generally available Azure service modules from the PowerShell Gallery, overwriting existing versions without prompting:
Install-Module Az -Repository PSGallery -Force
Restart PowerShell after installation.
Configure ipsconfig.json
Now, let's configure the ipsconfig.json file and ensure the configuration file contains your target environment details i.e., target subscription, target firewall policy resource group name, firewall name, firewall policy name, location and rule collection group name.
Example:
{
"subs": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"rg": "TEST-RG",
"fw": "fw",
"fwp": "fw-policy",
"location": "CentralUS",
"rcg": "DefaultNetworkRuleCollectionGroup"
}
Note: Your account must have permissions to read and update firewall policy and IDPS settings.
Running the Script:
1. Export Signatures
Now that we have all the prerequisites ready, it's time to run the script. Run the following command in PS in the directory where the script exists:
.\ipssigs.ps1
Now, the script should prompt for filtering criteria as shown below and you can input the values as per your requirements:
For the example scenario that we considered, we will give the following inputs as shown above in the snapshot:
- Mode: Alert
- Severity: Low
💡 Tip: When specifying multiple values, ensure there is space between the 2 values but no comma, otherwise the script may return no results.
The script now exports the results to ipssignatures_results.csv file by default (or a custom filename if specified). The exported CSV includes metadata such as severity, direction, group, and protocol, which can help inform tuning decisions.
2. Prepare the CSV
Now, we do not need all of these columns when inputting the CSV file to update the Firewall Policy. We only need the following columns.
- Signature Id
- Mode
Therefore, we will need to remove all other columns while keeping the SignatureId and mode columns along with their headers as seen below:
3. Update the Firewall Policy
Now, it's time to update the Firewall Policy with the signature/mode overrides that we need using the above CSV file. However, please note that the script supports two operations:
- Changing the global IDPS mode
- Applying bulk signature overrides using the CSV file
You can use either option independently or both together. Let's understand this further by looking at these 2 examples.
Example 1: Change Global Mode and Override Low Severity Signatures
Goal:
- Set global mode to Alert + Deny
- Keep Low severity signatures in Alert
Command:
.\ipssigupdate.ps1 -GlobalMode Deny -InputFile Lowseveritysignatures.csv
Result:
- High and Medium signatures → Alert + Deny
- Low signatures → Alert
Example 2: Override Signatures Only
If the global mode should remain unchanged, then run the following command only.
.\ipssigupdate.ps1
The script will then prompt for the input CSV file in the next step as seen below:
As seen the changed were made to the Azure Firewall in just a few seconds. After the script completes, updated signature actions should appear in the firewall policy.
4. Monitoring Script Execution
Please use the following commands to track and monitor the background processes, to verify the status, check for any error and remove completed jobs as seen below:
You can check background job status using:
Get-Job -Id <#>
View results:
Receive-Job -Id <#> -Keep
Remove completed jobs:
Remove-Job -Id <#>
Note: Up to 10,000 IDPS rules can be customized at a time
5. Validate the Changes:
Now that we finished running the script, it's time to verify the update by confirming:
- Global IDPS mode in the firewall policy
- Signature override state
- Alert or block events in your logging destination (Log Analytics or Microsoft Sentinel)
Conclusion:
Azure Firewall Premium makes it straightforward to apply broad IDPS configuration changes through the Azure portal. However, as environments scale, administrators often require more precise and repeatable ways to manage signature tuning.
The automation approach described in this blog allows administrators to query, review, and update thousands of signatures in minutes. This enables repeatable tuning workflows, improves operational efficiency, and simplifies large-scale security configuration changes.
References:
Microsoft