Azure Firewall Policy: Fix Failed Provisioning State

Reading Time: 2 minutes

Issue

On a recent project, a routine change was made to one of the Azure Firewall rules. This resulted in the provisioning state to change from “Succeeded” to “Failed” on the Firewall Policy:

Provisioning state: Failed

After inspecting the logs, we can see that a Microsoft service caused the failure:

Activity Log Failure

When the firewall policy manager is in this failed state, there is no guarantee that the latest firewall rules and changes are active.

Method 1 Fix: Utilise Azure Resource Manager

The first step to resolve this issue is to navigate to: https://resources.azure.com. You will then need to drill down to the resource group where Azure Firewall is situated and select the problematic firewall. See below:

resources.azure.com
  1. Once the firewall in question is selected, click on Get to receive an updated state.
  2. Click on Edit.
  3. Click on Put.
  4. Check the Firewall policy state back in the Azure portal to see if provisioning state has changed. If not, move to method 2 below.

Method 2 Fix: Update a Firewall Rule

If the Provisioning state is still showing as Failed, then simply make any change to one of the Firewall rules. For instance, make a minor name change to one of the Firewall rules, then save the changes. You will find that this forces the provisioning state to succeeded.

Method 3 Fix: Open Support Ticket with Microsoft

If Method 2 does not resolve the error, then you will need to open up a support ticket with Microsoft who will engage the appropriate team to fix the problem. This issue is also a documented and known bug as highlighted here.

Azure Firewall is a managed service and once updates/changes are made, multiple nodes in the back end need to be updated. This is why committing changes is a slow process. I found that if you’re making multiple changes to firewall rules, then as a rule of thumb, you should wait 2 minutes between changes. Making multiple quick fire changes can also trigger this problem. As Azure Firewall becomes a more mature product, I am hoping this will no longer be a concern.

One comment

  1. a flavour – perhaps easier – of one of the methods

    in powershell

    Get-AzFirewallPolicy… | Set-AzFirewallPolicy

Leave a Reply

Your email address will not be published. Required fields are marked *