ThreatSTOP Account Setup
here. After providing your information and logging into your account you'll be presented with a pop-up similar to the one displayed to the right.Setting up a ThreatSTOP account for Azure is simple. The first thing you will need is a ThreatSTOP account, which you can sign-up for
Click Copy Key to Clipboard to save this value, you will need it during the Azure side of the account creation process.
Azure Portal Setup
Setting up the ThreatSTOP IP firewall on Microsoft Azure is a straightforward process that should take less than an hour to fully complete. After initial setup and testing, your ThreatSTOP IP Firewall can be in place, and defending your network by blocking inbound and outbound connections to malicious IP addresses.
- Log into portal.azure.com
Search for ThreatSTOP.
Click on the ThreatSTOP IP Firewall link.
- Click Create.
Provisioning an IP Firewall
- Enter a ThreatSTOP Firewall VM name
- Provide an Admin username
- Select an authentication type:
- Provide a Password or SSH Key.
- Select a subscription model
- Create a new resource group and provide a name.
- Select a datacenter location for your virtual environment.
- Click OK.
Network and Storage Settings
- Select your virtual machine size
- Create a Virtual network, or select one that exists in the datacenter to which the network is being deployed.
Create a subnet.
A new sub-net will need to be created prior to deployment for the IP firewall if one does not already exist. For testing purposes you may wish to deploy a new virtual net alongside an existing vnet, and then roll the servers into the existing vnet if they meet approval.
Create a new public address
- Provide a DNS Prefix.
- Configure a Storage Account.
- Enter the License/API key you copied in ThreatSTOP Account Setup above.
- Click OK.
- Verify that everything looks correct and click OK.
This will begin deploying the ThreatSTOP IP Firewall into your Azure instance, including creating a Resource Group, firewall VM, and adding your new device to your ThreatSTOP account. You can verify that the deployment to your account was successful by logging into https://www.threatstop.com and looking for a device that has a numeric nickname and has its Manufacturer / Model set to Microsoft / Azure IP Firewall.
Testing the IP Firewall
Before deploying the IP Firewall into your live environment, it is advisable to test that the firewall is performing as expected. One way of doing this is to deploy a temporary VM into the Clients subnet, connect to both it and the firewall, and monitor for traffic flowing across the firewall.
- In Azure deploy a new Ubuntu clientVM into the same resource group as the IP firewall. For our example we are going to use the existing TSProtectedVnet but make sure the clientVM is assigned to the Clients subnet.
- The default settings are OK with two exceptions:
- Choose none for Public IP address as this will be a private subnet.
- Choose none for Network Security Group (NSG) for simplicity.
- Click on OK to bring up the Summary of the VM device.
- Click on OK again begin deploying the test VM.
- While the clientVM is being deployed, it's safe to add it into the routing table.To do this:
- Open the Resource Group you just created.
- Click on the Route Table () created by the solution template
- Click on Subnets.
- Click + Associate.
- Choose the Virtual Network.
- Select TSProtectedVNet.
- Choose Subnet.
- Associate it with the Clients subnet.
- Click OK.
- To test, open up two SSH sessions to the firewall's public IP. In one window ssh into the private IP of the client vm (the firewall is a jump box to the client):
Run the following command on the firewall:
On the clientvm, ping bing.com or similar and watch for the packets passing through the firewall. If you get a response on the client and also see packets flowing, the setup is complete. The examples below show a test ping for reference of what you should see:
Server Client Test One: Test Two:
Final Subnet Configuration
At this point if testing proved successful you may associate your Clients Subnet with the Route Table created during deployment.
These instructions are a simulation of the steps you will perform to go live in a production environment.
Click on the Route Table () created by the solution template and associate it with your production subnet.
Implementing the route table is a critical step, as it routes all traffic from your network through the new firewall VM. Due to this, all testing needs to be completed and verified as working. If your setup is not correct changing this association can impact your Internet access.
- Click OK to finalize deployment of the IP Firewall.
Changing your IP Tables Policy Name
Changing the policy used by the IP firewall is achieved by logging into the ThreatSTOP portal, changing the policy internal to the portal, and then running an update script on the firewall to update the block list and allow list.To do this:
- Login to the ThreatSTOP portal.
- Click on Devices.
- Click on the Edit Icon ( ) next to the device undergoing the policy change.
- Select the Policy you want to use, then click Next, and close the window.
- Click on the Documentation icon ( ), to open this document in the portal.
- Use SSH to login to your IP Tables firewall.
Copy and paste this command into the SSH session and press enter:
A display similar to the following should scroll by press Y when prompted to proceed:
This will update the policies on your IP firewall device to match your ThreatSTOP account.