[AzureFirewall] az network firewall create/update: Add parameter `-…

…-fat-flow-logging` (#5213)

src/azure-firewall/HISTORY.rst

@@ -2,6 +2,10 @@
 
 Release History
 ===============
+0.14.2
+++++++
+* `az network firewall create/update`: add parameter `--fat-flow-logging`
+
 0.14.1
 ++++++
 * `az network firewall policy`: add parameter `sql`

src/azure-firewall/azext_firewall/_params.py

@@ -65,6 +65,8 @@ def load_arguments(self, _):
         c.argument('threat_intel_mode', arg_type=get_enum_type(['Alert', 'Deny', 'Off']), help='The operation mode for Threat Intelligence.')
         c.argument('allow_active_ftp', arg_type=get_three_state_flag(),
                    help="Allow Active FTP. By default it is false. It's only allowed for azure firewall on virtual network.")
+        c.argument('enable_fat_flow_logging', options_list=['--fat-flow-logging'], arg_type=get_three_state_flag(),
+                   help="Identify fat flows. By default it is false.")
 
     with self.argument_context('network firewall', arg_group='Virtual Hub Public Ip') as c:
         c.argument('hub_public_ip_count', options_list=['--public-ip-count', '--count'], type=int,

src/azure-firewall/azext_firewall/custom.py

@@ -68,7 +68,8 @@ def create_azure_firewall(cmd, resource_group_name, azure_firewall_name, locatio
                           tags=None, zones=None, private_ranges=None, firewall_policy=None,
                           virtual_hub=None, sku=None,
                           dns_servers=None, enable_dns_proxy=None,
-                          threat_intel_mode=None, hub_public_ip_count=None, allow_active_ftp=None, tier=None):
+                          threat_intel_mode=None, hub_public_ip_count=None, allow_active_ftp=None, tier=None,
+                          enable_fat_flow_logging=False):
     if firewall_policy and any([enable_dns_proxy, dns_servers]):
         raise CLIError('usage error: firewall policy and dns settings cannot co-exist.')
     if sku and sku.lower() == 'azfw_hub' and not all([virtual_hub, hub_public_ip_count]):
@@ -118,6 +119,11 @@ def create_azure_firewall(cmd, resource_group_name, azure_firewall_name, locatio
             firewall.additional_properties = {}
         firewall.additional_properties['Network.FTP.AllowActiveFTP'] = "true"
 
+    if enable_fat_flow_logging:
+        if firewall.additional_properties is None:
+            firewall.additional_properties = {}
+        firewall.additional_properties['Network.AdditionalLogs.EnableFatFlowLogging'] = "true"
+
     return client.begin_create_or_update(resource_group_name, azure_firewall_name, firewall)
 
 
@@ -126,7 +132,7 @@ def update_azure_firewall(cmd, instance, tags=None, zones=None, private_ranges=N
                           firewall_policy=None, virtual_hub=None,
                           dns_servers=None, enable_dns_proxy=None,
                           threat_intel_mode=None, hub_public_ip_addresses=None,
-                          hub_public_ip_count=None, allow_active_ftp=None):
+                          hub_public_ip_count=None, allow_active_ftp=None, enable_fat_flow_logging=None):
     if firewall_policy and any([enable_dns_proxy, dns_servers]):
         raise CLIError('usage error: firewall policy and dns settings cannot co-exist.')
     if all([hub_public_ip_addresses, hub_public_ip_count]):
@@ -194,6 +200,14 @@ def update_azure_firewall(cmd, instance, tags=None, zones=None, private_ranges=N
         elif 'Network.FTP.AllowActiveFTP' in instance.additional_properties:
             del instance.additional_properties['Network.FTP.AllowActiveFTP']
 
+    if enable_fat_flow_logging is not None:
+        if instance.additional_properties is None:
+            instance.additional_properties = {}
+        if enable_fat_flow_logging:
+            instance.additional_properties['Network.AdditionalLogs.EnableFatFlowLogging'] = "true"
+        elif 'Network.AdditionalLogs.EnableFatFlowLogging' in instance.additional_properties:
+            del instance.additional_properties['Network.AdditionalLogs.EnableFatFlowLogging']
+
     return instance