Share via

Azure Firewall - classic rules - SNAT learned prefixes

Peter Stieber 245 Reputation points
2025-08-25T12:54:37.6233333+00:00

I am testing the firewall in the lab, and the following API call always returns an empty object

POST https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/azureFirewalls/azureFirewall1/learnedIPPrefixes?api-version=2024-05-01

The firewall is using classic rules. A Route Server is deployed in the same VNET. BGP is up and prefixes are being advertised by the peer to the Route Server

From PEER:User's image

User's image

RouteServer IPs:

User's image
FW settings:

User's image

The response I am getting from API

{}

In GUI I also see nothing

User's image

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harish Peddapally 240 Reputation points Microsoft External Staff Moderator
    2025-08-26T04:50:47.1233333+00:00

    Hi Peter Stieber,

    Welcome to Microsoft Q&A and Thank you for Posting your Query Here!

    As i observed from the uploaded images and context

    • Auto-learn IP prefixes are disabled because the firewall is using classic rules, not a Firewall Policy.
    • The GUI stating that "No firewall policy", which confirms that auto-learn SNAT IP prefixes is not active.
    • The Route Server is correctly linked (testRouteServer), but no prefixes are learned.
    • Shows that the BGP peers are advertising two prefixes(10.3.138.128/25 ,10.255.255.0/32
    • This confirms that BGP is functioning, and the Route Server is receiving routes.
    • Confirms the Route Server is deployed and associated.
    • The API response is {} — an empty object, matching what the GUI shows ("No prefixes have been learned").

    So, the reason why the API Returns an Empty Object { } is:

    The learnedIPPrefixes API only works when:

    Azure Firewall is configured with a Firewall Policy.

    • Auto-learn SNAT prefixes is enabled.

    Since your firewall is using classic rules, this feature is not supported, and the API will always return an empty object regardless of BGP or Route Server configuration.

    To Overcome this and to enable SNAT prefix learning and get meaningful API responses, you may need to follow this step:

    Refer: https://learn.microsoft.com/en-us/rest/api/firewall/azure-firewalls/list-learned-prefixes?view=rest-firewall-2024-05-01&tabs=HTTP

    Migrate to Firewall Policy:

    • Microsoft recommends using Firewall Policies over classic rules.
    • You can migrate your existing configuration to Firewall Policy using the Azure portal, PowerShell, CLI, or ARM templates.
    • Once migrated, go to the Firewall Policy settings and enable the feature.
    • Once migrated, the learnedIPPrefixes API should begin returning prefixes as expected.
    • The firewall will then start learning prefixes every 30 minutes.

    Microsoft Learn Document: https://learn.microsoft.com/en-us/azure/firewall-manager/policy-overview

    if you found the above response is helpful to you, please do not forget to "Accept the answer" this can be beneficial to other community members.

    Thank you again for your time. I’m happy to continue supporting you!

    Thanks

    Harish.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.