This chapter covers Azure Firewall Premium's Intrusion Detection and Prevention System (IDPS) and TLS inspection capabilities, which are critical for advanced network security in Azure. For the AZ-500 exam, these topics appear in approximately 10-15% of questions within the Network Security domain (objective 3.2). You must understand how IDPS signatures work, how TLS inspection intercepts and decrypts traffic, and how to configure and troubleshoot these features. This chapter provides the depth needed to answer exam questions confidently, including specific values, default behaviors, and common misconfigurations.
Jump to a section
Imagine a corporate mail room that receives all incoming and outgoing packages. Normally, packages are sealed and cannot be inspected without breaking the seal. The company decides to implement a policy where all packages must be opened and inspected for prohibited items before being delivered. To do this, the mail room has a special desk where an authorized inspector opens the package, examines the contents, repackages it with a new seal (using the company's own seal), and sends it to the recipient. The recipient sees a package sealed by the company, not the original sender. For outgoing packages, the same process happens in reverse: the employee gives an open package to the mail room, which inspects it, seals it with the original recipient's seal (pretending to be the external party), and sends it out. This way, the mail room can enforce policies on both inbound and outbound packages. However, this requires that all parties trust the mail room's seal, and the process introduces a slight delay. If the mail room's seal is compromised, the entire system is broken. This is exactly how TLS inspection works: Azure Firewall Premium acts as a man-in-the-middle, decrypting traffic, inspecting it for threats, re-encrypting with its own certificate, and forwarding it. The firewall must be trusted by clients via a trusted root certificate.
What is Azure Firewall Premium IDPS and TLS Inspection?
Azure Firewall Premium is a managed, cloud-native network security service that provides advanced threat protection. Two of its key features are IDPS and TLS inspection. IDPS (Intrusion Detection and Prevention System) inspects network traffic for malicious patterns, known as signatures, and can alert or block traffic based on those signatures. TLS inspection allows the firewall to decrypt outbound TLS traffic (HTTPS), inspect the plaintext content, and then re-encrypt it before forwarding to the destination. This enables the firewall to enforce URL filtering, malware detection, and IDPS rules on encrypted traffic.
Why These Features Exist
Most internet traffic today is encrypted (TLS). Traditional network security tools that cannot inspect encrypted traffic are blind to threats hidden inside HTTPS connections. IDPS without TLS inspection can only analyze metadata (IP addresses, ports, SNI headers) but not the actual payload. TLS inspection solves this by acting as a man-in-the-middle (MITM) proxy. It terminates the client's TLS connection, inspects the decrypted traffic, and then initiates a new TLS connection to the destination. This allows the firewall to apply security policies to the content. IDPS then works on the decrypted payload.
How IDPS Works Internally
IDPS in Azure Firewall Premium uses a signature-based detection engine. Signatures are patterns that match known vulnerabilities, exploits, malware, and attack techniques. The engine examines each packet's payload (after decryption if TLS inspection is enabled) against its signature database. The database is continuously updated by Microsoft via the Microsoft Defender Threat Intelligence feed.
Signature categories: Exploit kits, malware, SQL injection, cross-site scripting (XSS), command injection, etc.
Signature actions: Alert (log only), Alert and Deny (block and log), or Deny (block without alert).
Signature severity: Low, Medium, High, Critical.
Signature ID: Each signature has a unique identifier. You can override individual signatures to change their action or mode.
Mode: Detection (alert only) or Prevention (alert and deny).
When a packet arrives, the firewall performs the following steps: 1. Packet capture: The firewall receives the packet and extracts the payload. 2. Decryption (if TLS inspection enabled): If the packet is TLS encrypted and matches a rule that requires inspection, the firewall decrypts it using the configured CA certificate. 3. Protocol decoding: The engine identifies the application protocol (HTTP, SMTP, etc.) and normalizes the data. 4. Pattern matching: The engine compares the normalized payload against the signature database. This is a multi-pattern matching algorithm (like Aho-Corasick) that can match thousands of signatures simultaneously. 5. Action determination: If a match is found, the configured action (alert or deny) is applied. If multiple signatures match, the most severe action is taken. 6. Re-encryption (if TLS inspection enabled): The firewall re-encrypts the packet and forwards it.
TLS Inspection Mechanism
TLS inspection requires the firewall to have a trusted root Certificate Authority (CA) certificate. This certificate is used to dynamically generate certificates for each destination domain that the client connects to. The process is:
Client connects to destination: The client sends a ClientHello to the destination (e.g., https://example.com).
Firewall intercepts: The firewall intercepts the ClientHello before it leaves the network. It responds to the client with a server certificate that is signed by the firewall's CA certificate, impersonating example.com. The client must trust the firewall's CA certificate; otherwise, the browser will show a certificate warning.
Client accepts: If the client trusts the CA, it proceeds with the TLS handshake with the firewall. The client sends an encrypted symmetric key to the firewall.
Firewall decrypts: The firewall decrypts the client's traffic using the symmetric key.
Firewall connects to destination: The firewall initiates a new TLS connection to the actual destination (example.com). It presents the client's original SNI (Server Name Indication) and completes a TLS handshake with the destination. The destination's certificate is validated by the firewall.
Bidirectional forwarding: The firewall relays data between the two connections, decrypting from one side and re-encrypting for the other. This allows inspection of the plaintext.
Key Components, Values, and Defaults
Rule Collection Groups: IDPS and TLS inspection are configured via rule collections. You create a rule that specifies which traffic to inspect (e.g., all outbound HTTPS).
TLS Inspection Action: You can choose to inspect, bypass, or deny traffic. The default is to inspect if a rule matches.
CA Certificate: A self-signed or enterprise CA certificate uploaded to the firewall. The certificate must be trusted by all clients that will have their traffic inspected.
Signature Overrides: You can override the action for specific signature IDs. For example, you might want to block a specific CVE exploit but only alert for others.
Signature Update: Signatures are updated automatically. You cannot manually update them, but you can check the last update time in the portal.
Performance: TLS inspection adds latency (typically 1-5 ms per connection) and requires more CPU. Azure Firewall Premium scales automatically, but you should monitor CPU usage.
Limitations: TLS inspection only works for outbound traffic (client to internet). Inbound TLS inspection is not supported. Also, traffic to certain Microsoft services (like Office 365) may be excluded by default to avoid breaking functionality.
Configuration Steps
To enable IDPS and TLS inspection:
Deploy Azure Firewall Premium: Ensure the firewall SKU is Premium.
Upload a CA certificate: In the Azure portal, go to Firewall > TLS Inspection > Add a certificate. Upload a PFX file with the private key.
Create a rule collection: In Firewall > Rules > Rule Collections, add a new rule collection of type "Application Rule" or "Network Rule". For TLS inspection, use Application Rules with protocol HTTPS.
Enable TLS inspection: In the rule, set TLS Inspection to "Enabled". You can also specify a custom URL category to inspect.
Enable IDPS: In Firewall > IDPS, set the mode to Prevention (or Detection). You can also configure signature overrides.
Distribute the CA certificate: Ensure all client machines trust the firewall's CA certificate via Group Policy or manual installation.
Test: Browse to an HTTPS site from a client. The firewall logs should show the decrypted traffic.
Verification Commands
You can use Azure Monitor, Firewall logs, and the following Azure CLI commands:
# List all IDPS signatures
az network firewall policy intrusion-detection signature list --policy-name <policy-name> --resource-group <rg>
# Override a signature action
az network firewall policy intrusion-detection signature override add --policy-name <policy-name> --resource-group <rg> --id <signature-id> --state Alert
# Show TLS inspection configuration
az network firewall policy tls-inspection show --policy-name <policy-name> --resource-group <rg>Interaction with Related Technologies
Azure Policy: You can enforce that firewalls must be Premium SKU and have IDPS enabled.
Azure Sentinel: Firewall logs can be sent to Sentinel for advanced threat hunting.
Azure Web Application Firewall (WAF): WAF protects web servers; IDPS on the firewall provides network-layer protection. They complement each other.
Private Link: Traffic to Private Link endpoints is not inspected because it stays within Azure's backbone.
Common Pitfalls
Certificate trust: If clients do not trust the firewall's CA, they will see certificate errors and may refuse to connect.
Certificate revocation: The firewall does not check CRL/OCSP for the dynamically generated certificates. This is a security limitation.
Performance impact: Enabling TLS inspection on all traffic can degrade performance. It is recommended to selectively inspect traffic to sensitive destinations.
Signature overrides: Overriding too many signatures can reduce security. Only override when you have a legitimate reason.
Client Initiates TLS Connection
A client (e.g., a VM in Azure) attempts to connect to an external HTTPS site. The client sends a TCP SYN to the destination IP on port 443. The Azure Firewall Premium intercepts this packet because it is the default gateway. The firewall notes the destination IP and SNI (Server Name Indication) from the ClientHello message. The SNI is the domain name (e.g., www.example.com) sent in plaintext even before encryption. This allows the firewall to decide whether to inspect the connection based on rule criteria like destination FQDN or URL category.
Firewall Intercepts and Responds
The firewall’s TLS inspection module intercepts the ClientHello and responds to the client with a ServerHello, presenting a certificate that is dynamically generated for the domain (www.example.com) and signed by the firewall’s CA certificate. The client verifies this certificate against its trusted root store. If the client does not trust the CA, the connection fails. If trusted, the client sends its encrypted pre-master secret. The firewall now has the symmetric keys and can decrypt all subsequent traffic from the client.
Firewall Initiates New TLS Connection to Destination
The firewall establishes a separate TLS connection to the actual destination (www.example.com). It sends its own ClientHello with the original SNI. The destination responds with its legitimate certificate. The firewall validates this certificate (checks expiration, revocation, etc.). If validation fails, the firewall may block the connection or alert. Once validated, the firewall completes the handshake and obtains the symmetric keys for this second connection.
Traffic Decryption and IDPS Inspection
Now the firewall acts as a relay. It receives encrypted data from the client, decrypts it using the keys from the first connection, and passes the plaintext to the IDPS engine. The IDPS engine performs protocol decoding (e.g., HTTP request parsing) and pattern matching against its signature database. If a signature matches, the configured action (Alert or Deny) is taken. If the action is Deny, the firewall drops the packet and sends a TCP RST to the client. If Alert, the packet is logged and continues.
Re-encryption and Forwarding
After inspection, the plaintext is re-encrypted using the keys from the second connection (to the destination) and sent to the destination. Responses from the destination follow the reverse path: decrypted, inspected, re-encrypted, and sent to the client. The client and destination are unaware of the interception (except for the certificate trust requirement). The firewall maintains state for each connection, mapping the two halves together.
Enterprise Scenario 1: Financial Institution Enforcing Data Loss Prevention (DLP)
A bank wants to prevent sensitive data (like credit card numbers) from being exfiltrated via HTTPS. They deploy Azure Firewall Premium with TLS inspection on all outbound traffic. They upload their internal CA certificate and distribute it to all corporate VMs via Group Policy. They create a rule to inspect all HTTPS traffic to external destinations. The IDPS is configured in Prevention mode with custom signatures that match patterns of credit card numbers (using regex). In production, they noticed that some internal applications (like Office 365) broke because the firewall’s certificate was not trusted by those services. They had to create bypass rules for trusted Microsoft domains. Performance was a concern: with full TLS inspection, firewall CPU usage reached 80% during peak hours. They mitigated by using selective inspection—only inspecting traffic to non-whitelisted domains. Misconfiguration example: an engineer set the TLS inspection action to "Bypass" for all traffic, effectively disabling inspection, but IDPS still ran on the encrypted traffic (which is useless). The correct approach is to enable TLS inspection and set IDPS to Prevention.
Enterprise Scenario 2: Healthcare Provider Blocking Malware C2 Traffic
A hospital network uses Azure Firewall Premium to protect its Azure workloads. They enable IDPS in Prevention mode and TLS inspection for outbound HTTPS. They configure signature overrides to block all signatures with severity High and Critical. During a security incident, the firewall blocked traffic to a known malware command-and-control (C2) domain. The IDPS signature ID 123456 matched the C2 traffic. However, the hospital’s security team found that some legitimate traffic to a third-party healthcare API was also blocked because it matched a generic SQL injection signature. They had to create an exception for that API’s IP range. Common pitfall: the team initially forgot to distribute the CA certificate, so all clients had certificate errors. They resolved by deploying the certificate via Azure Policy Guest Configuration. Scale: they handle 10 Gbps of outbound traffic; the firewall scaled automatically but they monitored CPU and memory.
Enterprise Scenario 3: E-commerce Company with PCI DSS Compliance
An online retailer must comply with PCI DSS, which requires monitoring all traffic to cardholder data environments (CDE). They deploy Azure Firewall Premium with IDPS and TLS inspection to inspect all traffic to the CDE. They use a dedicated CA certificate that is trusted only by the CDE servers. They configure IDPS to alert on any attempt to access the CDE from unauthorized IPs. During a penetration test, the IDPS detected and blocked an SQL injection attempt. The firewall logs showed the decrypted HTTP request with the malicious payload. The security team used Azure Sentinel to correlate firewall logs with other sources. One issue: the firewall’s TLS inspection added 3-5 ms latency, which was acceptable. Misconfiguration: they initially set IDPS mode to Detection instead of Prevention, so the attack was logged but not blocked. They corrected this after the test.
What AZ-500 Tests on This Topic (Objective 3.2)
The exam focuses on configuring and managing Azure Firewall Premium, specifically: - Enable TLS inspection: Steps, certificate requirements, and impact on clients. - Configure IDPS: Modes (Detection vs. Prevention), signature overrides, and signature update mechanism. - Troubleshoot common issues: Certificate trust, performance, and bypass rules. - Understand limitations: Inbound TLS inspection not supported, traffic to Office 365 may be excluded.
Most Common Wrong Answers and Why Candidates Choose Them
"TLS inspection can be enabled for inbound traffic." This is false. Candidates confuse inbound with outbound. The exam tests that TLS inspection is only for outbound traffic. The correct answer is that inbound TLS inspection is not supported.
"IDPS in Detection mode blocks malicious traffic." Detection mode only logs; Prevention mode blocks. Candidates often assume Detection means blocking. The exam expects you to know the difference.
"You must manually update IDPS signatures." Signatures are updated automatically via Microsoft Defender Threat Intelligence. Candidates may think manual updates are required because of other security products.
"TLS inspection requires a public CA certificate." Actually, it requires a CA certificate that clients trust. It can be an internal enterprise CA or self-signed. Public CA certificates are not required. Candidates may choose "public CA" because they think the firewall needs to be trusted by external sites.
Specific Numbers, Values, and Terms That Appear Verbatim
Signature update frequency: Signatures are updated automatically; you cannot configure the interval. The last update time is displayed in the portal.
Modes: Detection and Prevention.
Actions: Alert, Alert and Deny, Deny.
Severity levels: Low, Medium, High, Critical.
Protocols: TLS 1.2 and TLS 1.3 are supported for inspection.
Certificate format: PFX with private key.
Edge Cases and Exceptions
Traffic to Office 365: By default, traffic to Office 365 endpoints is excluded from TLS inspection to avoid breaking services. You can override this but it's not recommended.
Traffic to Azure PaaS services: Traffic to Azure services like Storage or SQL Database is not inspected if using Private Link. If going over the internet, it can be inspected.
Certificate revocation: The firewall does not check CRL/OCSP for dynamically generated certificates. This is a security limitation that may be tested.
Performance: TLS inspection can cause up to 50% CPU overhead. The exam may ask about scaling or monitoring.
How to Eliminate Wrong Answers
If an answer says "TLS inspection works for both inbound and outbound traffic," eliminate it immediately.
If an answer says "IDPS in Detection mode blocks traffic," eliminate it.
If an answer says "You must manually update signatures," eliminate it.
If an answer says "You need a public CA certificate," eliminate it; it's an internal/self-signed CA that clients trust.
Look for keywords like "outbound only," "automatic updates," and "client trust."
Azure Firewall Premium IDPS has two modes: Detection (alert only) and Prevention (alert and block).
TLS inspection is only supported for outbound traffic; inbound TLS inspection is not available.
IDPS signatures are updated automatically via Microsoft Defender Threat Intelligence; no manual updates required.
TLS inspection requires a CA certificate that is trusted by clients; distribute via Group Policy or Azure Policy.
Traffic to Office 365 is excluded from TLS inspection by default to avoid breaking services.
Signature overrides allow you to change the action for individual signature IDs.
Performance impact of TLS inspection can be significant; use selective inspection for critical traffic only.
These come up on the exam all the time. Here's how to tell them apart.
Azure Firewall Premium IDPS
Supports IDPS with signature-based detection and prevention
Supports TLS inspection for outbound HTTPS traffic
Includes threat intelligence-based filtering
Supports signature overrides and custom rules
Higher cost and performance overhead
Azure Firewall Standard
No IDPS capabilities; only stateful inspection
No TLS inspection; only SNI-based filtering for HTTPS
No threat intelligence feed integration
No signature management
Lower cost and less performance impact
Mistake
TLS inspection works for both inbound and outbound traffic.
Correct
Azure Firewall Premium TLS inspection only supports outbound traffic (from clients to internet). Inbound TLS inspection is not supported. The firewall cannot decrypt traffic coming from the internet to internal servers.
Mistake
IDPS in Detection mode blocks malicious traffic.
Correct
Detection mode only logs alerts; it does not block traffic. To block, you must use Prevention mode. This is a common confusion with other security products where 'detection' implies blocking.
Mistake
You must manually update IDPS signatures.
Correct
IDPS signatures are updated automatically by Microsoft via the Microsoft Defender Threat Intelligence feed. There is no manual update option. You can only override individual signature actions.
Mistake
TLS inspection requires a publicly trusted CA certificate.
Correct
The CA certificate must be trusted by the clients whose traffic is being inspected. It can be an internal enterprise CA or a self-signed certificate distributed via Group Policy. A public CA is not required.
Mistake
Enabling TLS inspection on all traffic has no performance impact.
Correct
TLS inspection adds latency (1-5 ms per connection) and increases CPU usage. For high-throughput environments, selective inspection is recommended to avoid performance degradation.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, Azure Firewall Premium TLS inspection only supports outbound traffic (from Azure to internet). Inbound TLS inspection is not a supported feature. For inbound traffic, you can use Azure Application Gateway with WAF or Azure Front Door.
You can distribute the CA certificate using Group Policy (for domain-joined VMs), Azure Policy Guest Configuration, or manually installing the certificate in the Trusted Root Certification Authorities store. The certificate must be trusted by all clients that will have their traffic inspected.
Yes, you can use a self-signed certificate as the CA certificate. However, you must distribute it to all clients and ensure it is trusted. An enterprise CA certificate is often easier to manage in domain environments.
In Detection mode, the firewall logs alerts when malicious traffic is detected but does not block it. In Prevention mode, the firewall logs and blocks malicious traffic. Prevention mode is recommended for production environments.
IDPS signatures are updated automatically by Microsoft. The update frequency is not configurable. You can view the last update time in the Azure Firewall portal under IDPS settings.
By default, traffic to Office 365 endpoints is excluded from TLS inspection to avoid breaking connectivity. You can override this, but it may cause issues with Office 365 services. It is recommended to keep the default exclusion.
Yes, you can override the action for specific signature IDs. For example, you can set a signature to 'Alert' instead of 'Deny' if you want to allow traffic that would otherwise be blocked. Use the Azure CLI or portal to configure overrides.
You've just covered Azure Firewall Premium: IDPS and TLS Inspection — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?