Skip to main content
Back to the Azure Footguns Database
GovernanceLowRareAZF-0048

An orphaned Firewall Policy is a full ruleset that protects nothing

A Firewall Policy attached to no Azure Firewall and inherited by no child policy is a complete ruleset that enforces nothing, yet still reads as authoritative.

Footgun ID
AZF-0048 (Azure Footgun No. 48)
Azure service
Azure Firewall
Resource type
Microsoft.Network/firewallPolicies
Updated
July 1, 2026

What it is

An Azure Firewall Policy, a full set of network, application, and NAT rule collections, that is not attached to any Azure Firewall and has no child policies inheriting from it. Every rule inside it is dead configuration.

Impact (governance)
No direct charge; the harm is a detailed but unenforced security ruleset
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Firewall Policies are decoupled from firewalls by design so they can be authored, versioned, and reused. That same decoupling lets them outlive their purpose: a firewall is rebuilt against a new policy, a parent-child hierarchy is flattened, or a policy is drafted for a deployment that never ships. Azure exposes read-only back-references (properties.firewalls and properties.childPolicies), and an orphan is one where both are empty, meaning nothing enforces its rules and nothing inherits them.

The trap is that an orphaned policy looks exactly as complete and authoritative as a live one. It has the same carefully written rule collections, the same threat-intel settings, the same DNAT rules. Someone auditing the environment can mistake it for the policy in force, or edit it believing a change will take effect, when in reality it is enforcing nothing anywhere.

What it costs / blast radius

A standalone Firewall Policy has no meter of its own, so this is not a cost problem. The harm is a governance and security-hygiene one: a detailed, convincing ruleset that enforces nothing invites exactly the wrong conclusion during a review, and can absorb edits that quietly go nowhere. Dead security configuration is worse than none, because it looks like protection. (Authored assessment of Azure behavior.)

See it

Find them: Firewall Policies with no firewall and no child policy
Resources
| where type =~ 'microsoft.network/firewallpolicies'
| where array_length(properties.firewalls) == 0
    and array_length(properties.childPolicies) == 0
| project name, resourceGroup, subscriptionId, location,
          sku = tostring(properties.sku.tier)
Fix: attach it to the firewall that should use it, or delete the dead policy
// Confirm no firewall should reference it, then remove the orphan.
az network firewall policy delete \
  --name legacy-egress-policy \
  --resource-group rg-network

How StratoLens helps

StratoLens flags Firewall Policies that no firewall uses and no child policy inherits automatically and continuously across every subscription in your tenant, so a dead ruleset cannot be mistaken for the one that is actually protecting traffic. You see which policies are enforced and which are just detailed drafts nobody wired up.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.