Azure Firewall Logs
This document details how to access, understand, and utilize logs generated by Azure Firewall. Logs provide critical insights into network traffic, security events, and operational status of your firewall.
Types of Azure Firewall Logs
Azure Firewall generates two primary types of logs:
- Network Rule Logs: Records all network traffic that matches network rules. This includes information about source and destination IP addresses, ports, protocols, and actions taken (Allow/Deny).
- Application Rule Logs: Records all traffic that matches application rules. This includes information about FQDNs, protocols (HTTP/HTTPS), and actions taken.
Log Analytics Workspace
The recommended method for collecting and analyzing Azure Firewall logs is by sending them to a Log Analytics workspace. This allows for powerful querying, visualization, and alerting.
Configuring Log Collection
To configure log collection:
- Navigate to your Azure Firewall resource in the Azure portal.
- Under the Monitoring section, select Diagnostic settings.
- Click Add diagnostic setting.
- Select the log categories you want to collect (e.g.,
AzureFirewallNetworkRule,AzureFirewallApplicationRule). - Under Destination details, choose Send to Log Analytics workspace and select your desired workspace.
- Click Save.
Querying Firewall Logs with Kusto Query Language (KQL)
Once logs are in Log Analytics, you can use Kusto Query Language (KQL) to analyze them. Here are some common queries:
Viewing all network rule logs:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and Category == "AzureFirewallNetworkRule"
| project TimeGenerated, Resource, RuleCollection, Rule, SourceIPAddress, DestinationIPAddress, DestinationPort, Protocol, Action
| order by TimeGenerated desc
Viewing all application rule logs:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and Category == "AzureFirewallApplicationRule"
| project TimeGenerated, Resource, RuleCollection, Rule, Fqdn, Protocol, Action
| order by TimeGenerated desc
Finding denied traffic for a specific IP:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and Category in ("AzureFirewallNetworkRule", "AzureFirewallApplicationRule")
| where Action == "Deny" and SourceIPAddress == "10.0.0.4"
| project TimeGenerated, Category, Rule, SourceIPAddress, DestinationIPAddress, Fqdn, Action
| order by TimeGenerated desc
Log Fields
Here are some important fields you'll find in the logs:
| Field Name | Description | Log Type |
|---|---|---|
TimeGenerated |
Timestamp of the log event. | Both |
Resource |
Name of the Azure Firewall resource. | Both |
Category |
Type of log (e.g., AzureFirewallNetworkRule, AzureFirewallApplicationRule). |
Both |
RuleCollection |
Name of the rule collection the rule belongs to. | Both |
Rule |
Name of the specific rule that matched the traffic. | Both |
SourceIPAddress |
Source IP address of the traffic. | Network Rule |
DestinationIPAddress |
Destination IP address of the traffic. | Network Rule |
DestinationPort |
Destination port of the traffic. | Network Rule |
Protocol |
Protocol of the traffic (TCP, UDP, ICMP). | Network Rule |
Fqdn |
Fully Qualified Domain Name for application rules. | Application Rule |
Action |
The action taken by the firewall (e.g., Allow, Deny). |
Both |
Important Considerations
Ensure your Log Analytics workspace is configured with appropriate retention policies based on your compliance and operational needs. For high-volume environments, consider sampling or filtering logs at the source if possible.
Tip
Use Azure Monitor workbooks to create custom dashboards for visualizing your firewall logs. This can help you quickly identify trends, anomalies, and potential security threats.
By effectively utilizing Azure Firewall logs, you can gain deep visibility into your network traffic, enhance your security posture, and troubleshoot connectivity issues efficiently.