Azure Firewall Reviews

We use it to protect the Azure space and to be the bridge between on-premise and the cloud.

When I have had a site-to-site VPN set up and configured, and would use it to allow ordinary traffic from the on-premise device to the cloud and from other third-party suppliers to the Azure platform.

We also use it to provide connectivity to various network security groups that have been created within Azure.

I would say that this solution is really good compared to other solutions that we have had before. We would have used the FortiGate firewall in the Azure space. 

We find this process was quicker. It would get a faster turnaround time once we would generate and modify the firewall rules. Because of the visibility, we would have seen it. When compared to FortiGate, it would get a bit more visibility in terms of integration with the security center so that we would be able to review based on overall posture, see what needs to be fixed, or what changes need to be made. 

The turnaround time turns off rules and any gaps that exist would increase the turnaround time for that as well. It would also help us to increase our response time and reduce our attack surface by 20% so far.

With the recent upgrade to the premium version, it facilitates IP Groups, URL filtering, TLS inspection, IDPs, and the Web Categories.

Before using the premium version, a lot of our customers had concerns with the URL filter, where you would not be able to allow or block a specific URL. The feature set without a premium version would only allow you to do it via IP address, which is tedious.

At times, many of these vendors would be using some kind of CDN solution. It would be the case where multiple IPs appear, changing behind the URL when it would be easier if you're using the URL feature. The URL maps onto the IP address and it would be the easiest way to do that.

I think that one of the best features is definitely the premium version, along with the IDPs in terms of the intrusion detection and prevention system.

Many other vendors, when you do not have the license for the IP at some point, then you would be left not being able to do any prevention. The fact that the premium version includes this is good.

The TLS inspection allows you to decrypt the outbound traffic and encrypt data. Otherwise, we would have been using our third-party vendors, and whatever solution is within Azure.

With the various business units, we will be reaching out to other solutions there are in the web category to reduce the attack surface to see if this is a category that is alone or not.

The fact that Azure also ties into a security center is another good feature. You can also get rid of that visibility because of the tight integration with these Azure products.

We had an instance where it wasn't processing the rules and we had to engage Microsoft to resolve that issue. Microsoft Support needs to improve its response time.

For larger enterprises, they need to adjust the scalability. This is the only issue that I'm have found that it attributed to the two weeks of downtime we had experienced.

They need to offer either a scaled-up or scaled-out version or versions for larger enterprise companies.

This would greatly improve the solution.

I have been using Azure Firewall for approximately two and a half years.

I have recently upgraded to the premium version.

Azure Firewall is pretty stable. 

I believe that they listen to various sponsors, which is why they were able to release the premium version. It is a more established firewall that vendors now have. 

I'm seeing where they have met up with the dynamics of the market, and I am expecting that they will be a leader sometime in the near future.

They need to find a way to scale it out or scale it up a bit more. The scalability, it's okay, but it needs a lot more improvement. For a regular customer that's utilizing it, that's good, but for large enterprise companies, it is not as good.

The industry is telecoms. We have millions of customers. For that type of environment, they need better and more scalability.

We haven't totally assessed the premium version to see if the new features offer greater scalability. 

We utilize it across the cloud estate. We plan to expand our subscriptions. Most definitely, we will increase our usage.

Recently, we transitioned to the premium version, which will be extended to the other subscription once it has been rolled out across 32 countries, and with more instances, it will be rolled out across various continents.

The turnaround time in resolving the issue where it wasn't processing the rules is an area that needs improvement. It wasn't resolved in a timely manner.

Microsoft support took a bit of time to assist us in resolving that issue. It created a bit of downtime for us and it was longer than we expected. 

I would say those would be the cons so far when utilizing it.

I would rate the Microsoft support a five out of ten because they did not respond in a timely manner and the impact it caused in terms of the downtime it created for us. We were down for a week or two during a high-impact period.

They were assisting us but it took a good amount of time to get it resolved when we needed to be putting out things daily. Two weeks is a long time for a fast-paced environment. 

Previously, we were using FortiGate Firewall. We switched because of the migrating of the Security Center and the ease of use. The cost was also considered.

The initial setup was straightforward.

We had another tool which was FortiGate. We migrated from FortiGate to the Azure Firewall.

It was a straightforward migration.

The deployment took approximately three to four weeks.

The implementation strategy would include copying over rules, ensuring that all the services are able to run, and also ensuring that both firewalls were running in parallel. Until we are sure that the Azure Firewall can handle the workload, both firewall products will continue to operate.

After that, we were able to power down the virtual appliance that was on the FortiGate Firewall.

We had it running for quite some time, approximately a month and a half. Because there were no issues, we stopped using the FortiGate Firewall altogether, once that process was complete.

We have a server team, a cloud team, and a network team to administer and maintain this solution. It's approximately eight to ten people, some are network security engineers, a network security manager, and network engineers.

There have been some cost benefits as well. When using another vendor in comparison where you bring your own license, the cost would have gone down. It's more cost-effective to use the Azure Firewall along with the premium version than using a third-party as an option from the marketplace. I would say that as well, where it gives you better spend in terms of OPEX. It's better value for your money.

The licensing module is good. Pricing is one of the reasons we switched to this solution.

For smaller businesses, they could probably put one or two features from premium into the regular standard versions. For example, that URL filtering is a pain point for many customers. 

If they could find a way to scale down that URL and the IPs feature to include it in the standard version, then that would allow them to get more traction and more customers from the small to medium-sized business perspective.

We were using Check Point mostly. We had decided to move to FortiGate, and then we moved to Azure Firewall. 

We did not go with Check Point because of the premium features such as the URL filtering, and the TLS inspection included with Check Point cost a lot more. This was the reason we chose the Azure Firewall.

It's a solid solution. I would tell anybody to definitely give it a try, and consider it as one of the options when looking for a firewall to use in Azure space.

I would say if they can go for the premium version upfront, rather than starting with the standard version, then trying to transition to a premium version. It addresses a lot of the issues and concerns in this space today. They should start with the premium rather than upgrade. Once they can afford it, go straight to premium.

I would rate Azure Firewall an eight out of ten.

We use it to do the network traffic filtering between our private network and a public network. So, it is a boundary. Because of our IDS and IPS needs, the advanced features are enabled in Azure Firewall.

There are two types of versions. In China, there is only the standard tier, but in the rest of the regions, there is the premium tier.

We have a centralized filtering capability because of Azure Firewall. So, our application teams don't need to take too much care of network filtering and network protection. It has helped a lot in reducing the management overhead for our application teams.

It has helped us a lot with compliance. Because of our local cybersecurity law needs, we need to have firewall filtering capability. Before Azure Firewall, we didn't have too many choices. For example, we only had ACL, but Azure Firewall is a real firewall. It can protect us from a lot of traffic. So, it is improving our security and bringing satisfaction to the security team.

From the viewpoint of our internal organization, it simplifies the work for our application teams. Because the Infra team has built a centralized shared firewall service, our application teams can have this kind of managed service from the Infra team. That's one of the benefits. It doesn't directly impact our customers or end-users outside our organizations, but it protects their personal data and information. It also improves their security level. So, overall, the end-users are getting served better.

Network filtering is valuable. The scalability capability from the cloud-native service helps us a lot because it simplifies our day-to-day maintenance activity.

It is a cloud service, but the lending speed for each region is not always the same. For example, in China, the speed is slow. They need to think about how to make sure that the service pace or speed is always the same in all regions. It would be a great improvement if they can provide the same pace worldwide. 

It is still not at par with traditional next-generation firewalls. It is still behind other network and firewall vendors such as Palo Alto. There are other advanced and leading products in the market, and Azure Firewall is still a follower. So, they can consider investing more in this product and make it a market leader like Azure.

I have been using it for more or less two years.

We had a few critical incidents, and we did the investigation together with Microsoft. It seems there were some bugs in Azure Firewall shared cluster. So, at the very beginning, we had a few outages or critical incidents because of the product bugs, but since then, especially in the past few months, it seems very good.

Scalability is a reason why we choose a cloud service like Azure Firewall. It can scale depending on the increase in your real traffic. In our case, we never reached the 20-gigabyte throughput limit, but we can have more instances in case the application or the network traffic grows. So, it can be scaled, and we don't need to take too much care of Azure capacity planning. 

The Infra team is a direct user of this firewall. They take care of its day-to-day management. There are, at the most, 10 people on this team. They build the pipeline, monitor its performance, and based on the service requests, add and modify the JSON templates. In terms of applications, there are maybe hundreds of applications that rely on the service from Azure Firewall. We are implementing Azure Firewall worldwide. So, our footprint is extending.

I would rate them a seven out of 10.

We didn't have any cloud solution previously. We deployed it from scratch.

Its initial setup was pretty straightforward. With its native portal and User Guide, you can very quickly do the implementation. Its UI is very user-friendly. 

We made it an enterprise shared service for our use case. We studied and designed the cloud-native Azure Firewall service from scratch and packaged it as a standard service in our environment. We wanted to maintain the Azure service like the DNAT network rule and application rule. We wanted it to be always manageable in its lifecycle. So, we chose the infrastructure mode to manage our service. We have a delivery pipeline, and we also use the DevOps mode to maintain the Azure Firewall configuration in its lifecycle. For this part, the API is good, and the native Terraform and Ansible have relevant predefined modules. It is working fine. So, for this part, it is very good. It doesn't matter whether you are a junior technical guy or an advanced technical guy. You can always find a comfortable way to deploy, manage, and maintain it.

Its deployment is very quick. It takes a few minutes. In order to make it the deployer pipeline, you need to spend some time because you need to think about the integration, such as how to integrate with GitLab CI, and how to make Azure Workbook so that it can monitor the usage and user performance. We wanted it as a managed service. So, the duration also depends on your use case.

We did it ourselves. For its deployment and maintenance, we have less than five people. They just monitor and respond to all instances. They also accept a service request to implement a new rule or modify the older version of a rule. We don't have to do any upgrades.

We pay based on the usage. So, it makes sense that at the very beginning, we know very well how are they charging. We use and pay for it. So, it is not a CapEx expense. It is an OPEX expense, so it is not the same logic as ROI.

It is pay-as-you-go. So, you pay based on the usage. If I remember it well, there is a basic fee, and there is a traffic fee. It is not per month. It is per hour or something like that. It is not so expensive.

We evaluated Palo Alto. If you want to have a Palo Alto firewall in the cloud, you need to deploy it as a virtual appliance. This part is not that easy because it requires two types of tech stack. You need an Azure computing license for the Palo Alto virtual appliance. In addition, scalability is your responsibility. It is not the responsibility of your core service provider. So, for maintenance, you need to spend more time and effort.

Azure provides a unified API or interface, whereas if you want to have a traditional firewall appliance implemented in the cloud, you need to take care of the API or interface so that it can be managed in an automated way.

You should have a clear understanding of Azure Firewall. You should understand how Microsoft packages it as a service. If you don't understand how is it composed and how it works, it will bring some unexpected issues during your day-to-day operation. This is a major service from Microsoft, so the quality of Microsoft's product will directly impact the service you want to offer to your customer or users. If you understand it well and test it well, it will give you fewer surprises in the future.

I would rate Azure Firewall a seven out of 10.

The use cases are related to internet-based traffic restriction. Generally, when it comes to gaining access to web applications hosted on Azure from the outside world, and the traffic restriction between the internal supplements.

We're still looking into the features. I can't evaluate much of it right now because we're still exploring. The requirements that we are looking at on the firewalls have been met, and we have begun running the operations. We are also looking forward to the next level of firewall features.

It's auto-scalable, which is a great feature. It also meets industry-level standards and compliance requirements, which have been verified by our security team.

It supports native load balances, and routable can be easily configured, which is another added feature. When we look at any other firewalls, and they were difficult to configure, which came in handy with Azure Firewall.

Layer four security is to be expected. In contrast, with Azure Firewall, you can extend it to the other Wi-Fi layers.

I'm not sure if that is still supported because we haven't yet explored all of the features, but it was on our future roadmap to integrate all restriction traffic and anything with our ITSM tool, most likely ServiceNow. So that an auto ticket can be generated for the ingenious, remediation and fixing can be done. Any type of automation can come into play there as well. Those are on our to-do list. But we're still looking into it. It is yet to be discovered.

It would be much easier if the on-premises, firewall rules, had some kind of export-import possibility in place, which is not the case right now.

As I previously stated, the same integration, most likely ITSM tool integration, is one of those features we'd like to investigate to see if it exists or not, so we can have a more forward-thinking perspective on it.

We implemented Azure Firewall approximately three months ago. 

I have been working with Azure Firewall for two to three months.

I am working with the latest version.

The stability is excellent. As of now, we have not been faced with any issues, and we are keeping our fingers crossed that it remains that way.

It is auto-scalable and highly available.

The number of people using this solution in our organization is quite limited as it is restricted as of now. We currently have three people who are working with this solution.

We may get one or two people on board, but for the time being it is restricted because it is a security device and we don't want to expose much of the admin privileges to the users or administrators, which is why it is restricted.

We get enterprise support as well as Microsoft support with our premium version.

Technical support is also fine. It is sufficient in my opinion. We have a Microsoft solution architect aligned with us as well, and if any new services, or deployment, as well as configuration, are required, he comes into the picture and we can get support from him. Aside from that, we have technical support for case-by-case scenarios such as severity A, B, and C for Microsoft. So far Microsoft support has not been an issue. I have been working with Microsoft for the past 10 years, I don't see much of an issue from Microsoft on support, at least from my point of view.

We have Barracuda, FortiGate, and Check Point as well.

As a comparison, it would be difficult because it is managed by a completely different team from an on-premises perspective. Before deploying Azure, we were looking for what parameters actually made the point, The security team was able to identify that it was good enough for our security parameters to meet our company's requirements. This is why we are using it, and how we deployed the Azure Firewall, subject to security approvals.

The rest of the firewalls on-premises are managed by a different team.

The initial setup was pretty easy. 

In terms of configuration, we haven't faced much of an issue.

The deployment and configuration took two to three hours.

The maintenance parameter is supported by Microsoft. Being a cloud product is very simple in terms of maintenance; we don't need to worry about any kind of patching activity or anything else. On other products, we must check the vendor and follow the OEM recommendation. This is an area that Azure has simplified.

Microsoft assisted us during the deployment. We had a solution engineer from Microsoft.

The deployment was straightforward, on the other hand, from a configuration standpoint we had some help to avoid any issues or misconfiguration. A Firewall is something that is very important from a security point of view. You cannot have any loopholes on that parameter.

We purchased the premium version for our enterprise support and it was quite good.

There isn't much of a pricing licensing model in Azure. Azure Firewalls operate on a pay-as-you-go model, similar to cloud services. So far, the best estimate we've found for our enterprise solution is around 90,000 INR rupees in India. So that's what we discovered. And because we are using three different subscriptions and managing it from a hub network, we divide it and it comes to around 30,000 in INR fee subscription. That is a suite comparison that we have also done with regard to the licenses of other products. And we discovered that it is also comparable in terms of pricing.

When it comes to firewalls or any other type of security device, it is more of an analysis done by your security team to determine whether or not it meets your security requirements. If we are only talking about product and features, I would recommend it because from a cloud perspective, and specifically, if you are using Azure, it is quite easy from a manageability, operations, and configuration standpoint, with respect to the PaaS services.

Whereas if you deploy other vendors on Azure, managing the PaaS services would be difficult because Azure uses service tags, which you can simply configure in Azure Firewall for your PaaS services and other, even VMs. However, if you use other product vendors, there will be some kind of IP address restriction.

If you're in an Azure environment, I'd recommend Azure Firewalls. If it is any other type of environment, we will most likely have to reassess it.

As of now, it is pretty easy to rate it as nine. I won't rate it as 10 because we haven't searched much of the features. I would rate Azure Firewall a nine out of ten.

I've been using Azure Firewall for one or two customers in the UAE to protect against security threats. It protects the Azure infrastructure and PaaS, applications, network, and ports. It's the same as the things we configure with other firewalls.

With Azure firewall, I can extend the security posture from 67 percent to between 75 and 80 percent.

The security of Azure Firewall is okay for smaller and medium-sized organizations. It has been integrated with the virtual WAN, which is a good way to protect multi branches for connection either through ExpressRoute or VPN.

The dashboard is fine because it's simple and easy to use. For junior admins who are joining an organization and want to learn something, Azure Firewall is the best way to go, as it gives them all the flexibility. It's not so customized. Whereas with Palo Alto, for example, you have to understand firewalls, and the security aspects, in a more in-depth way. Azure Firewall is easy.

It is easy for me to protect specific ports or even the IP addresses, as well as do whitelisting, blacklisting, and the FQDN when we want virtual machines connected and to protect certain websites. There are many features which are good enough.

Also, the documentation is awesome, no doubt about it. 

For large organizations, a third-party firewall would be an added advantage, because it would have more advanced features, things that are not in Azure Firewall.

I have been using Azure Firewall for almost three years.

It's absolutely stable because it's Azure. It has the redundancy and the resilience of the Azure Infrastructure Services. I don't think there is downtime with this kind of service. It probably has 99.95 percent uptime.

It should be scalable. That has to do with the backend and Azure takes care of all of that. We have 300 to 400 users.

We have an Enterprise Agreement and that means Microsoft support would answer any calls within half an hour's time, max. They get in touch with us if there is anything that is crucial. It is based on the severity when we create the request.

A Microsoft Enterprise Agreement is the best. I worked on many problems and issues when I was working for a government organization that had an Enterprise Agreement, and I used to get calls immediately. The issues would be resolved within half a day or, at the maximum, one day.

Positive

I haven't worked with other firewalls.

The initial setup is straightforward. There is nothing complex about it. Within 20 minutes, you have the firewall up and running.

Two or three people are sufficient for deployment and maintenance in a small organization. One should be at least a SOC analyst who understands security, and one could be an Azure admin with good knowledge of the Azure infrastructure, PaaS, and security aspects.

Azure Firewall comes with Azure native services. We did not buy any kind of license for it. Whether you have a free subscription or a pay-as-you-go model, you can deploy the Azure Firewall service. For any type of third-party service, like Palo Alto, or Fortinet, or Check Point, we would need to buy a subscription or licenses based on the users, but here it comes with the tenant when you purchase it. You are not going to spend extra money on it. The amount that you use will determine how much you pay.

The pricing of Azure, compared to third-party vendors, is good because it's Azure-native. It's affordable.

It's a common firewall. I haven't faced any issues or problems with it. In Azure services itself, there are other security implementations provided, to do with DDoS protection on the networks. There are certain firewall rules as well and things that we can deploy at the subnet level and on the NIC level. Along with Azure Firewall, other security services have been implemented. It's okay for small and medium-sized organizations that cannot afford to buy a third-party vendor or security appliances to protect their perimeter. Azure Firewall should suffice for them.

Also, as cloud administrators or architects, we are the ones who take care of the protection. As long the end-user is connected with the application, they're fine. To them, it doesn't matter whether we're using Azure Firewall or a third-party appliance. They don't know what is going on at the infrastructure level. They just want the application and the performance to be good.

For small and medium-sized organizations that are not ready to invest in a third-party firewall, and clients who are not so concerned about data security, Azure Firewall is the best solution. If a company needs more protection of, say, their email service, they could go with Proofpoint, an IaaS, or PaaS. For one of our large organizations, where they have financial services and a retail business, they went for a third-party solution along with Azure Firewall.

Overall, I would rate Azure firewall at eight out of 10. There are many advanced features in the other firewalls that are not available in Azure.

When we started using Azure Firewall, we learned quickly that it couldn't do much. As I remember, it was essentially a layer 3 or layer 4 firewall that couldn't distinguish recognized applications and things like that. But it was inexpensive compared to the Palo Alto stuff we were looking at, so we wound up staying with the firewall. Mainly it was just inspecting ports between virtual machines.

Azure Firewall definitely needs a broader feature base. It should be able to go all the way up to layer 7 when looking at applications and things like that. It needs to be comparable to what you would get from Cisco, Palo Alto, Checkpoint, or any of those guys. If it's going to be a firewall, it needs to be competitive. From a security standpoint, it's not any better than loading an IP table in a Linux box. In fact, Linux may even be better in that sense

I've been using Azure Firewall for probably about a year.

Azure Firewall wasn't scalable at all, but it did what it's supposed to do.

I honestly don't remember interfacing a lot with Azure support. I think that we were dealing with a third party, maybe. But I've been dealing with AWS for the last year, and it's a totally different experience in a good way. Their support is outstanding.

Setting up Azure Firewall was easy because all you were doing was configuring source, destination, port, and action. However, there was something weird. You have to number your rules set, and depending on your numbering system, that's how you would have to apply the filtering of the logic of the policy. And in that sense, it's a little bit quirky. I don't think that most firewalls work that way. It just reads the policy, and the algorithm is based on it filtering down through the policies until it hits a truth or a match. And then it makes a decision based on that.

Azure's cost-effectiveness is its major advantage. 

Each company will prioritize what it wants to work on. Azure may outperform AWS in some areas, but after working with the two platforms for roughly the same amount of time, I've found AWS friendlier and more sophisticated overall. AWS just seems to be a better platform for me, honestly.

I would rate Azure Firewall one out of 10. I give it the worst rating because security is so important. However, it depends on your security goals. But you have to look at what's out there and what you typically get out of a box. Even for a cheap application for your computer, Azure Firewall just isn't delivering. It doesn't have any personality at all or functionality even. I definitely wouldn't recommend it to anyone, but I would have to go back and visit it because it's been a year now. The features are so limited that it's pretty much a protocol-filtering product. 

Honestly, I think any serious security-minded entity will bypass Azure Firewall and look at some of the images from the third parties. I guess it's suitable for small outfits that aren't serious about security but want some basic protection. By the time I walked away, I  had spent a lot of hours on it, and I spent more time in my job trying to find a solution and pick the right one. I did everything to learn the firewall's feature set. I finally talked with someone at Microsoft who said, "We know what you want and what you're trying to do, but we're just not there yet."

They just told me to stay tuned. I got the impression Azure Firewall is a very immature product that would probably improve over time. But, at that moment, I didn't think it was unready. It's just that products are trying to achieve different things. You can't have all the horses in all places. It's one of those things where I felt like it would have to be some acquisition or complete outsourcing of the security component to somebody specialized in the area who can sell it as a firewall.

I used it for two of my clients. One of the clients used it for Azure Virtual Desktop implementation and for blocking the internet for the other applications in the IaaS. The use case for the other clients was also similar. It was put in there for holding up traffic and filtering traffic.

It provided ease of maintenance. If a new firewall was needed, we only had to run the pipelines for this. So, the maintenance was very easy.

It reduced work by 30%. It saved maintenance and operational costs by 15%.

The HTTPS Inspection feature was useful where HTTPS traffic is scanned before it goes over the line.

Its interface is okay, and it is very adjustable. I like IP groups and other things that you can do with it.

Rules management could be better. You have all kinds of rules, and they can put something better in place there.

There should be better monitoring and logging. Currently, it is put in Sentinel. It should be more seamless and from the interface.

It has been about two years.

Its stability is very good.

It is scalable. It was used across multiple regions. One of them had about 3,000 users, and the other one had about 5,000 users.

Their technical support is good. I would rate them an eight out of ten.

Positive

We used a different solution. We had on-prem Palo Alto. 

I was involved in its setup. I deployed it with Bicep pipelines. The maintenance was also via pipelines. Its setup was straightforward, especially with Terraform and Bicep. It was done in 10 minutes to 15 minutes.

It is a one-man job, but that is not our advice. It is better to have three or four people who have knowledge of the firewall system. If you have only one person and that person is sick, then you have a problem. You block the internet, and sometimes, you have to open it. So, it is better to do it with a small team. If there are a lot of changes, two to three people should be fine.

In terms of maintenance, there is only the maintenance of new ports or IP addresses, but that's operational management. That's not firewall management as such.

Our clients have seen about 25% return on investment.

It is expensive, especially with the premium functions.

For one of the clients, it was very expensive. You have to use it more at an enterprise level, and there, it was not at an enterprise level. So, it was very costly, but security-wise, it was a very wise decision to use it that way. 

The solution of Palo Alto and the other one, whose name I don't remember, were IaaS-based, but we wanted a platform as a service, and Azure Firewall is that.

If you have an ecosystem based on, for instance, Palo Alto, it would be better to use a Palo Alto firewall because they have one way of working and one interface, but if you have a greenfield deployment or your on-prem is old or legacy, then I would advise going for Azure Firewall.

Its basic features were enough for us. The single sign-on experience was also okay. We had no problem with that. If required, we can use Privileged Identity Management or MFA. All these features are there within Azure.

I would rate it an eight out of ten.

We implemented Azure Firewall to secure edges and gain access control to the internet for BNS and Bitcoin. It's used to access the internet in a safe way. It allows us to access services from Azure via the firewall within Azure.

With this technology, we were able to handle different projects in a smaller amount of time. The time-to-market has been much better since we implemented this solution. We have more agility, take less time to implement, and are able to set up faster.

The firewall policy control, URL content control, and antivirus are all the most valuable aspects. Threat prevention is as well quite good. 

The development area and QA area could be improved. With those improvements, we can improve projects and take even less time to implement them.

I've been using the solution for five years.

It is very stable. I don't remember having a fall or failure in this service. 

It is a good solution in terms of scaling. If we need to support more traffic or more bandwidth, the solution grows automatically. It's configured to grow.

My company has an enterprise contract with Azure, and that contract gives us the right to access very specific, very high-level support. We always have good support and a high level of support with Azure from those that specialize in different areas of Azure.

Sometimes the support is delayed as sometimes we have to connect with support abroad. Sometimes we are limited as our people do not always know English and there can be a language barrier.

Positive

We did not use a different solution. This is the first solution we've used and we'll keep the same solution for now.

I do not have direct experience with technical support. My colleagues in operations were involved in the setup. My role was to define and decide what kind of service we needed.

The deployment was in different regions, including in the USA and Virginia. It was a combination of on-premises and hybrid cloud between the two regions. 

I don't recall the solution needing maintenance.

My colleague and partner implemented the product. 

I have not seen an ROI.

The solution is cheaper than other brands. My company has an enterprise contract and we finally got a good price with Azure.

We evaluated Check Point and Fortinet.

It's simpler to implement Azure. It's simpler in terms of handling the license. With the other providers, in order to get support, it is necessary to sign a contract. With Azure, it's different. It's more agile and simpler to get service. The support is embedded in the service.

I'd rate the solution nine out of ten.

The solution is very simple to implement. In terms of the security policy, it's good. Previously, we had to define how the solution was used and we had to configure it. It's necessary to define and have a good plan as the solution is very fast to implement. The velocity has to be contained via having a good plan. You need to be very clear and very detailed. Be prepared and plan everything in advance. 

There are a lot of competitors to Azure Firewall. Microsoft figured it out, that they needed a firewall for their Azure platform that can integrate with their services. That's why they came up with Azure Firewall. It really has a pretty nice integration with Azure services. 

In terms of the reporting, it's beautiful. It integrates with Azure monitoring and with Azure policies. That piece is a big help. You can set governing policies and you can use the application firewall, as well as the Azure Firewall, to enforce those policies. If you use the Azure platform, it is the best choice. And they're working on integrating it with many more Azure resources.

The configuration is much easier because Microsoft already provides you with a tool that belongs to Azure. You can set one rule instead of setting 100 rules. That makes the administration of Azure Firewall much easier. For example, when it comes to DNS tags, services tags, and URL tags, you don't have to go URL-by-URL and tell it to open this or that port.

In addition, it's a SaaS service. You don't have to worry about managing a virtual machine and things like patching and upgrading.

It needs a lot of improvement, especially on intruder detection. They are working hard on that.

I am an experienced Azure architect. I have more than 30 years in this field. I don't do operations anymore, although I know how to configure things.

I have just done the design on a project for General Electric, with Azure Firewall.

It's very stable. Microsoft will not put something out there that is unstable.

Another big benefit of Azure Firewall is the scalability. You can grow it to meet the load of traffic. With a virtual appliance-based solution from Palo Alto or Cisco, you need to add another one to scale.

Their tech support is great. They are very helpful. They can be involved in the design.

The initial setup is a piece of cake. You just provision it. You need to know your requirements because there are two versions, Standard and Premium, which affect your costs.

One of the benefits of Azure Firewall, while it is not mature yet, is that the total cost of ownership is much less than Palo Alto, Cisco, or any other brand.

When people look at the cost of Azure Firewall, they think, "Oh, it's pretty expensive." But when you base it on the total cost of ownership over a period of time, you have to look at the scalability and the fact that, if you already have Microsoft support, it is included for Azure Firewall automatically. When you add in the integration and the management, it comes out to much less than virtual appliances.

I would highly recommend it if your design needs Azure Firewall. It might not need it. It might be that you could use an application firewall and that the application gateway will be more than enough.

They're working on a distributed solution so that it's not that you just have a virtual network and one firewall. They really want to have more than one entry point into your environment, with ways to orchestrate it, with the IP coming from a client to different firewalls. They are moving at the speed of light to realize a lot of strategic initiatives for Azure Firewall. It is one of the strategic items that Microsoft is working on.