Azure Firewall Telnet Behaviour

Question

Azure Firewall Telnet Behaviour

Andrea Longhitano 180

Hello everyone,

I have a strange behavior in Azure Firewall.

Traffic from ip 192.168.1.1 to example.com is denied by default on port 443. The traffic from 192.168.1.1 pass through the firewall. If I execute the command telnet example.com 433 it works fine and I don't see any deny logs in the firewall. However, of I execute a curl command, it doesn't work as expected and I see deny on the firewall.

The question is: why the telnet works fine?

Thanks,

Andrea

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Marcin Policht 66,250 MVP Volunteer Moderator

The reason telnet works while curl is denied is that telnet only tests the TCP handshake, not actual application-layer traffic. When you run telnet example.com 443, it opens a TCP connection, which the firewall allows, so no deny logs appear. In contrast, curl https://example.com sends a full HTTPS request (TLS handshake + HTTP headers), which is subject to the firewall’s application or network rules for actual HTTPS traffic. If the firewall blocks HTTPS requests from 192.168.1.1, curl fails and a deny log is generated, even though the underlying TCP connection would succeed.

In short, telnet only tests TCP connectivity while curl tests real HTTPS traffic, which can be blocked by the firewall.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Andrea Longhitano 180 Reputation points

2025-10-03T22:29:48.8866667+00:00

Is there a way to block telnet? Also all the network rules of my firewall work in deny mode.
Marcin Policht 66,250 Reputation points MVP Volunteer Moderator

2025-10-03T23:16:04.86+00:00
Yep - you can block telnet, but you have to understand what “telnet” really is in this context. Telnet is just a TCP connection to a port, so the firewall doesn't know whether you're using telnet or some other TCP client—it only sees TCP traffic on a given port.

Since your Azure Firewall network rules are already in deny mode, here's how it applies:

Blocking by port:

If you deny outbound TCP to port 443 (or any target port), all TCP connections to that port (including telnet) will be blocked.

Telnet only works because the network rules currently allow TCP to the target port.

Blocking by source IP:

You can deny traffic from 192.168.1.1 specifically, which will stop telnet and other TCP clients.

Application-layer inspection:

Azure Firewall cannot block “telnet” specifically as an application—because telnet itself is just raw TCP.

You would need a WAF or IDS/IPS if you want to filter based on protocol semantics or detect telnet-style sessions on non-standard ports.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Tourica 10 Reputation points

2025-10-04T07:59:00.7466667+00:00

On Microsoft forums, it's best not to disclose your personal IP address.

Hide your IP address as much as possible.

Reason: There's a risk of your personal IP being leaked.
Tourica 10 Reputation points

2025-10-04T08:11:06.8066667+00:00

To learn how to block

Telnet, go to this page.
https://techdocs.broadcom.com/us/en/fibre-channel-networking/fabric-os/fabric-os-administration/9-1-x/v26755091/v26755390/v26753886.html

Share via

Azure Firewall Telnet Behaviour

0 additional answers

Your answer