Azure Firewall Logging and Monitoring
Effective logging and monitoring are crucial for understanding network traffic, identifying potential security threats, and troubleshooting issues with your Azure Firewall deployment. Azure Firewall integrates with Azure Monitor to provide comprehensive insights.
Key Logging and Monitoring Components
Azure Firewall Logs
Azure Firewall generates several types of logs that capture different aspects of its operation:
- AzureDiagnostics: This is the primary log table that contains events related to network traffic, threat intelligence, and firewall policy. It's recommended for most monitoring and troubleshooting scenarios.
- FirewallPolicyLogs: Contains logs specific to Azure Firewall Policy, including rule matches and network activity.
- NetworkRule: Logs network traffic that matches your defined network rules.
- ApplicationRule: Logs application traffic that matches your defined application rules.
- ThreatIntel: Logs detected threats based on Azure Firewall's threat intelligence feeds.
- FlowTrace: Provides detailed information about network flows passing through the firewall.
Azure Monitor Integration
Azure Firewall's logs can be sent to various destinations for analysis:
- Log Analytics workspace: The most common destination, allowing you to query logs using Kusto Query Language (KQL) and build dashboards.
- Azure Storage account: For long-term archiving of logs.
- Azure Event Hubs: For streaming logs to other services like SIEM (Security Information and Event Management) solutions.
Configuring Diagnostic Settings
To enable logging, you need to configure diagnostic settings for your Azure Firewall resource:
- Navigate to your Azure Firewall resource in the Azure portal.
- Under Monitoring, select Diagnostic settings.
- Click + Add diagnostic setting.
- Select the log categories you want to collect (e.g., AzureDiagnostics, NetworkRule, ApplicationRule, ThreatIntel).
- Choose the destination(s) for your logs (Log Analytics workspace, Storage account, or Event Hubs).
- Click Save.
Analyzing Logs with Log Analytics
Once logs are sent to a Log Analytics workspace, you can use KQL to query and analyze them. Here are some common query examples:
Common KQL Queries
View all network rule matches:
AzureDiagnostics
| where Category == "NetworkRule"
| project TimeGenerated, Resource, RuleCollectionGroup, Rule, Action, SourceIP, DestinationIP, Protocol, DestinationPort, PrimaryUser, UserInfo, HostName, RuleCollection, NetworkRuleName
View all application rule matches:
AzureDiagnostics
| where Category == "ApplicationRule"
| project TimeGenerated, Resource, RuleCollectionGroup, Rule, Action, SourceIP, Protocol, HostName, FQDN, UserInfo, PrimaryUser, NetworkRuleName
View threats detected by Threat Intelligence:
AzureDiagnostics
| where Category == "ThreatIntel"
| project TimeGenerated, Resource, ThreatIntelDescription, ThreatIntelType, SourceIP, DestinationIP, Port, RuleName
Count network traffic by source IP:
AzureDiagnostics
| where Category == "NetworkRule"
| summarize count() by SourceIP
| order by count_ desc
Count application traffic by FQDN:
AzureDiagnostics
| where Category == "ApplicationRule"
| summarize count() by FQDN
| order by count_ desc
Azure Firewall Metrics
Azure Monitor also provides key performance metrics for your Azure Firewall, including:
- Data processed: Total data processed by the firewall.
- Active connections: Number of active TCP connections.
- Network rules hit: Count of network rules that have been matched.
- Application rules hit: Count of application rules that have been matched.
- Threat intelligence rules hit: Count of threat intelligence rules that have been matched.
- SNAT port utilization: Percentage of SNAT ports in use.
You can view these metrics in the Azure portal under the Metrics section of your Azure Firewall resource and set up alerts based on metric thresholds.
Alerting on Firewall Events
Create alert rules in Azure Monitor based on your KQL queries or metrics to be proactively notified of security events or performance issues. Common alerts include:
- High volume of denied traffic.
- Detection of specific threat intelligence signatures.
- High SNAT port utilization.
- Unusual traffic patterns.