Added the new switch parameter IdentifyTopFatFlows to Firewall Command

src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs

@@ -152,5 +152,14 @@ public void TestAzureFirewallManagementNICBasicSku()
         {
             TestRunner.RunTestScript("Test-AzureFirewallManagementNICBasicSku");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
+        public void TestAzureFirewallCRUDIdentifyTopFatFlow()
+        {
+            TestRunner.RunTestScript("Test-AzureFirewallCRUDIdentifyTopFatFlow");
+        }
+
     }
 }

src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1

@@ -1870,3 +1870,47 @@ function Test-AzureFirewallManagementNICBasicSku {
         Clean-ResourceGroup $rgname
     }
 }
+<#
+.SYNOPSIS
+Tests AzureFirewall IdentifyTopFatFlow
+#>
+function Test-AzureFirewallCRUDIdentifyTopFatFlow {
+    $rgname = Get-ResourceGroupName
+    $azureFirewallName = Get-ResourceName
+    $resourceTypeParent = "Microsoft.Network/AzureFirewalls"
+    $location = Get-ProviderLocation $resourceTypeParent "eastus"
+
+    $vnetName = Get-ResourceName
+    $subnetName = "AzureFirewallSubnet"
+    $publicIpName = Get-ResourceName
+
+    try {
+        # Create the resource group
+        $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location
+
+        # Create the Virtual Network
+        $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 10.0.0.0/24
+        $vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet
+
+        # Create public ip
+        $publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIpName -location $location -AllocationMethod Static -Sku Standard
+
+        # Create AzureFirewall
+        $azureFirewall = New-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname -Location $location -IdentifyTopFatFlow
+
+        # Verify
+        $azFirewall = Get-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname
+        Assert-AreEqual true $azFirewall.IdentifyTopFatFlow
+
+        # Reset the IdentifyTopFatFlow flag
+        $azFirewall.IdentifyTopFatFlow = $false
+        Set-AzFirewall -AzureFirewall $azFirewall
+        $azfw = Get-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname
+
+        Assert-AreEqual false $azfw.IdentifyTopFatFlow
+    }
+    finally {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
+}

src/Network/Network/AzureFirewall/NewAzureFirewallCommand.cs

@@ -232,6 +232,12 @@ public class NewAzureFirewallCommand : AzureFirewallBaseCmdlet
         )]
         public SwitchParameter AllowActiveFTP { get; set; }
 
+        [Parameter(
+           Mandatory = false,
+           HelpMessage = "Identify Top Fat Flows. By default it is false."
+       )]
+        public SwitchParameter IdentifyTopFatFlow { get; set; }
+
         public override void Execute()
         {
             // Old params provided - Get the virtual network, get the public IP address
@@ -300,7 +306,8 @@ private PSAzureFirewall CreateAzureFirewall()
                     VirtualHub = VirtualHubId != null ? new MNM.SubResource(VirtualHubId) : null,
                     FirewallPolicy = FirewallPolicyId != null ? new MNM.SubResource(FirewallPolicyId) : null,
                     HubIPAddresses = this.HubIPAddress,
-                    Zones = this.Zone == null ? null : this.Zone.ToList()
+                    Zones = this.Zone == null ? null : this.Zone.ToList(),
+                    IdentifyTopFatFlow = (this.IdentifyTopFatFlow.IsPresent ? "true" : null)
                 };
             }
             else
@@ -320,7 +327,8 @@ private PSAzureFirewall CreateAzureFirewall()
                     DNSEnableProxy = (this.EnableDnsProxy.IsPresent ? "true" : null),
                     DNSServer = this.DnsServer,
                     AllowActiveFTP = (this.AllowActiveFTP.IsPresent ? "true" : null),
-                    Sku = sku
+                    Sku = sku,
+                    IdentifyTopFatFlow = (this.IdentifyTopFatFlow.IsPresent ? "true" : null)
                 };
 
                 if (this.Zone != null)

src/Network/Network/ChangeLog.md

@@ -19,6 +19,8 @@
 --->
 
 ## Upcoming Release
+* Added `IdentifyTopFatFlow` parameter to `AzureFirewall`
+    - `New-AzFirewall`
 * Enabled Azure Firewall forced tunneling by default (AzureFirewallManagementSubnet and ManagementPublicIpAddress are required) whenever basic sku firewall is created.
     - `New-AzFirewall`
 * Fixed bug that causes an overflow due to incorrect SNAT private ranges IP validation.

src/Network/Network/Common/NetworkResourceManagerProfile.cs

@@ -1299,7 +1299,8 @@ private static void Initialize()
                         { "Network.SNAT.PrivateRanges", src.PrivateRange?.Aggregate((result, item) => result + "," + item) },
                         { "Network.FTP.AllowActiveFTP", src.AllowActiveFTP },
                         { "Network.DNS.EnableProxy", src.DNSEnableProxy },
-                        { "Network.DNS.Servers", src.DNSServer?.Aggregate((result, item) => result + "," + item) }
+                        { "Network.DNS.Servers", src.DNSServer?.Aggregate((result, item) => result + "," + item) },
+                        { "Network.AdditionalLogs.IdentifyTopFatFlows", src.IdentifyTopFatFlow },
                     }.Where(kvp => kvp.Value != null).ToDictionary(key => key.Key, val => val.Value);   // TODO: remove after backend code is refactored
                 });
                 cfg.CreateMap<CNM.PSAzureFirewallSku, MNM.AzureFirewallSku>();
@@ -1346,6 +1347,7 @@ private static void Initialize()
                     }
                     dest.AllowActiveFTP = src.AdditionalProperties?.SingleOrDefault(kvp => kvp.Key.Equals("Network.FTP.AllowActiveFTP", StringComparison.OrdinalIgnoreCase)).Value;
                     dest.DNSEnableProxy = src.AdditionalProperties?.SingleOrDefault(kvp => kvp.Key.Equals("Network.DNS.EnableProxy", StringComparison.OrdinalIgnoreCase)).Value;
+                    dest.IdentifyTopFatFlow = src.AdditionalProperties?.SingleOrDefault(kvp => kvp.Key.Equals("Network.AdditionalLogs.IdentifyTopFatFlows", StringComparison.OrdinalIgnoreCase)).Value;
                     try
                     {
                         dest.DNSServer = src.AdditionalProperties?.SingleOrDefault(kvp => kvp.Key.Equals("Network.DNS.Servers", StringComparison.OrdinalIgnoreCase)).Value?.Split(',').Select(str => str.Trim()).ToArray();

src/Network/Network/Models/AzureFirewall/PSAzureFirewall.cs

@@ -79,6 +79,8 @@ public string[] PrivateRange
 
         public string AllowActiveFTP { get; set; }
 
+        public string IdentifyTopFatFlow { get; set; }
+
         [JsonIgnore]
         public string IpConfigurationsText
         {

src/Network/Network/help/New-AzFirewall.md

@@ -22,8 +22,8 @@ New-AzFirewall -Name <String> -ResourceGroupName <String> -Location <String>
  [-ThreatIntelWhitelist <PSAzureFirewallThreatIntelWhitelist>] [-PrivateRange <String[]>] [-EnableDnsProxy]
  [-DnsServer <String[]>] [-Tag <Hashtable>] [-Force] [-AsJob] [-Zone <String[]>] [-SkuName <String>]
  [-SkuTier <String>] [-VirtualHubId <String>] [-HubIPAddress <PSAzureFirewallHubIpAddresses>]
- [-FirewallPolicyId <String>] [-AllowActiveFTP] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
- [<CommonParameters>]
+ [-FirewallPolicyId <String>] [-AllowActiveFTP] [-IdentifyTopFatFlow]
+ [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ### OldIpConfigurationParameterValues
@@ -35,8 +35,8 @@ New-AzFirewall -Name <String> -ResourceGroupName <String> -Location <String> -Vi
  [-ThreatIntelWhitelist <PSAzureFirewallThreatIntelWhitelist>] [-PrivateRange <String[]>] [-EnableDnsProxy]
  [-DnsServer <String[]>] [-Tag <Hashtable>] [-Force] [-AsJob] [-Zone <String[]>] [-SkuName <String>]
  [-SkuTier <String>] [-VirtualHubId <String>] [-HubIPAddress <PSAzureFirewallHubIpAddresses>]
- [-FirewallPolicyId <String>] [-AllowActiveFTP] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
- [<CommonParameters>]
+ [-FirewallPolicyId <String>] [-AllowActiveFTP] [-IdentifyTopFatFlow]
+ [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ### IpConfigurationParameterValues
@@ -49,8 +49,8 @@ New-AzFirewall -Name <String> -ResourceGroupName <String> -Location <String> -Vi
  [-ThreatIntelWhitelist <PSAzureFirewallThreatIntelWhitelist>] [-PrivateRange <String[]>] [-EnableDnsProxy]
  [-DnsServer <String[]>] [-Tag <Hashtable>] [-Force] [-AsJob] [-Zone <String[]>] [-SkuName <String>]
  [-SkuTier <String>] [-VirtualHubId <String>] [-HubIPAddress <PSAzureFirewallHubIpAddresses>]
- [-FirewallPolicyId <String>] [-AllowActiveFTP] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
- [<CommonParameters>]
+ [-FirewallPolicyId <String>] [-AllowActiveFTP] [-IdentifyTopFatFlow]
+ [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -403,6 +403,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -IdentifyTopFatFlow
+Identify Top Fat Flows. By default it is false.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -Location
 Specifies the region for the Firewall.
 
@@ -561,7 +576,7 @@ The sku tier for firewall
 Type: System.String
 Parameter Sets: (All)
 Aliases:
-Accepted values: Standard, Premium
+Accepted values: Standard, Premium, Basic
 
 Required: False
 Position: Named

src/Network/Network/help/Set-AzFirewall.md

@@ -73,6 +73,7 @@ $pip = Get-AzPublicIpAddress -ResourceGroupName rgName -Name publicIpName
 $firewall.Allocate($vnet, $pip)
 $firewall | Set-AzFirewall
 ```
+
 This example retrieves a Firewall, deallocates the firewall, and saves it. The Deallocate command removes the running 
 service but preserves the firewall's configuration. For changes to be reflected in cloud, Set-AzFirewall must be called.
 If user wants to start the service again, the Allocate method should be called on the firewall.
@@ -87,6 +88,7 @@ $mgmtPip = Get-AzPublicIpAddress -ResourceGroupName rgName -Name MgmtPublicIpNam
 $firewall.Allocate($vnet, $pip, $mgmtPip)
 $firewall | Set-AzFirewall
 ```
+
 This example allocates the firewall with a management public IP address and subnet for forced tunneling scenarios. The VNet must contain a subnet called "AzureFirewallManagementSubnet".
 
 ### 6:	Add a Public IP address to an Azure Firewall
@@ -165,11 +167,62 @@ $Hub = Get-AzVirtualHub -ResourceGroupName "testRG" -Name "westushub"
 $firewall.Allocate($Hub.Id)
 $firewall | Set-AzFirewall
 ```
+
 This example retrieves a Hub Firewall, deallocates the hub firewall, and saves it. The Deallocate command removes the reference 
 to the virtual hub but preserves the firewall's configuration. For changes to be reflected in cloud, Set-AzFirewall must be called.
 The Allocate method assigns the virtual hub reference to the firewall. Again, for changes to be reflected in cloud,
 Set-AzFirewall must be called.
 
+### 13:	Identify Top Fat Flows on Azure Firewall
+```powershell
+$azFw = Get-AzFirewall -Name "ps184" -ResourceGroupName "ps774"
+$azFw.IdentifyTopFatFlow = $true
+
+$azFw | Set-AzFirewall
+```
+
+```output
+		AllowActiveFTP	                : null	
+		ApplicationRuleCollections	    : Count = 0	
+		ApplicationRuleCollectionsText	: "[]"	
+		DNSEnableProxy	                : null	
+		DNSServer	                    : null	
+		DNSServersText	                : "null"	
+		Etag	                        : "W/\"7533fa1b-8588-400d-857c-6bc372e14f1b\""
+		FirewallPolicy	                : null	
+		HubIPAddresses	                : null	
+		Id	                            : "/subscriptions/aeb5b02a-0f18-45a4-86d6-81808115cacf/resourceGroups/ps774/providers/Microsoft.Network/azureFirewalls/ps184"	
+		IdentifyTopFatFlow	            : "true"	
+		IpConfigurations	            : Count = 0	
+		IpConfigurationsText	        : "[]"	
+		Location	                    : "eastus"	
+		ManagementIpConfiguration	    : null	
+		ManagementIpConfigurationText	: "null"	
+		Name	                        : "ps184"	
+		NatRuleCollections	            : Count = 0	
+		NatRuleCollectionsText	        : "[]"	
+		NetworkRuleCollections	        : Count = 0	
+		NetworkRuleCollectionsText	    : "[]"	
+		PrivateRange	                : null	
+		PrivateRangeText	            : "null"	
+		ProvisioningState	            : "Succeeded"	
+		ResourceGroupName	            : "ps774"	
+		ResourceGuid	                : null	
+		Sku	                            : {Microsoft.Azure.Commands.Network.Models.PSAzureFirewallSku}	
+		Tag	                            : null	
+		TagsTable	                    : null	
+		ThreatIntelMode	                : "Alert"	
+		ThreatIntelWhitelist	        : {Microsoft.Azure.Commands.Network.Models.PSAzureFirewallThreatIntelWhitelist}	
+		ThreatIntelWhitelistText	    : "{\r\n  \"FQDNs\": null,\r\n  \"IpAddresses\": null\r\n}"	
+		Type	                        : "Microsoft.Network/azureFirewalls"	
+		VirtualHub	                    : null	
+		Zones	                        : Count = 0	
+		privateRange	                : null	
+
+```
+
+In this example, Identify Top Fat Flows is enabled on the Firewall.
+
 ## PARAMETERS
 
 ### -AsJob
@@ -248,7 +301,7 @@ Accept wildcard characters: False
 ```
 
 ### CommonParameters
-This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
 
 ## INPUTS