Monitoring Azure Firewall

Effective monitoring of Azure Firewall is crucial for maintaining network security, identifying threats, and ensuring optimal performance. Azure provides a comprehensive suite of tools and services to monitor your firewall's health, traffic, and security events.

Key Monitoring Components

Azure Firewall offers several mechanisms for monitoring its operations:

  • Azure Monitor: This is the primary service for collecting and analyzing telemetry from your Azure resources. It provides metrics, logs, and alerts for Azure Firewall.
  • Azure Firewall Logs: Detailed logs capture network traffic, threat intelligence filtering, and policy evaluation.
  • Azure Firewall Metrics: Performance counters and operational metrics help track the health and utilization of your firewall.
  • Network Watcher: Useful for packet capture and connection troubleshooting.

Azure Monitor for Azure Firewall

Azure Monitor is your central hub for all monitoring activities. You can configure diagnostic settings to send Azure Firewall logs and metrics to various destinations.

Diagnostic Settings

To enable comprehensive monitoring, configure diagnostic settings for your Azure Firewall instance. You can choose to send the following types:

  • AzureDiagnostics: Contains logs for FirewallPolicy, NetworkRule, ApplicationRule, DNSRule, and ThreatIntel.
  • GatewayManager: Logs related to the firewall's management plane.
  • FirewallPolicyManager: Logs for firewall policy changes.
  • AzureFirewallNetworkRule: Logs specific to network rule processing.
  • AzureFirewallApplicationRule: Logs specific to application rule processing.
  • AzureFirewallThreatIntel: Logs related to threat intelligence filtering.
  • AzureFirewallDns: Logs related to DNS proxy.

These logs can be sent to:

  • Log Analytics workspace: For powerful querying and analysis using Kusto Query Language (KQL).
  • Azure Storage account: For long-term archival.
  • Event Hubs: For streaming logs to other systems or third-party SIEMs.

Metrics in Azure Monitor

Azure Firewall exposes key metrics that provide insights into its performance and health. Some common metrics include:

Metric Name Description
TotalNetworkTraffic Total network traffic processed by the firewall.
TotalApplicationTraffic Total application traffic processed by the firewall.
ConnectionsEstablished Number of active network connections.
NetworkRulesHit Number of times network rules were matched.
ApplicationRulesHit Number of times application rules were matched.
ThreatIntelRulesHit Number of times threat intelligence rules were triggered.

Alerting

Set up alerts in Azure Monitor to notify you of critical events or performance thresholds. This can include:

  • High network traffic volumes.
  • Increased connection failures.
  • A significant number of threat intelligence hits.
  • Firewall availability issues.
Tip: Integrate Azure Firewall logs with Azure Sentinel or other SIEM solutions for advanced threat detection and incident response.

Analyzing Azure Firewall Logs

Logs collected in a Log Analytics workspace are invaluable for detailed analysis and troubleshooting. You can use KQL queries to filter, correlate, and visualize your firewall data.

Common Log Query Examples

Here are a few examples of KQL queries you might use:

All traffic logs in the last hour:

AzureDiagnostics
| where TimeGenerated > ago(1h)
| where Category == "AzureFirewallNetworkRule" or Category == "AzureFirewallApplicationRule"
| project TimeGenerated, RuleCollection, Rule, Protocol, SourceIP, DestinationIP, DestinationPort, Action, RuleType

Threat intelligence hits:

AzureDiagnostics
| where TimeGenerated > ago(1d)
| where Category == "AzureFirewallThreatIntel"
| project TimeGenerated, ThreatIntelDescription, ThreatIntelSource, SourceIP, DestinationIP

Top destination IPs by traffic volume:

AzureDiagnostics
| where TimeGenerated > ago(1d)
| where Category == "AzureFirewallNetworkRule"
| summarize TrafficBytes=sum(bytes_sent + bytes_received) by DestinationIP
| order by TrafficBytes desc
| take 10
Note: The exact table names and schema might vary slightly based on your diagnostic settings and Azure Firewall version. Always refer to the latest Azure documentation for precise details.

Best Practices for Monitoring

  • Regularly review logs: Don't just set up logging; actively analyze the data for suspicious activity or anomalies.
  • Configure meaningful alerts: Tailor alerts to your organization's specific security posture and operational needs.
  • Establish baselines: Understand normal traffic patterns to better identify deviations.
  • Use visualization tools: Azure Monitor workbooks and Azure Dashboards can provide at-a-glance views of your firewall's status.
  • Integrate with SIEM: For advanced security operations, pipe logs into a Security Information and Event Management (SIEM) system.
Important: Ensure that your diagnostic settings are correctly configured to capture the relevant logs and metrics for effective monitoring and troubleshooting.