Troubleshooting Azure Firewall
Introduction
Azure Firewall is a cloud-native and intelligent network security service that protects your virtual network resources. This document provides guidance on common troubleshooting scenarios encountered when working with Azure Firewall.
Common Issues and Solutions
1. Traffic Not Flowing Through Firewall
This is a common issue indicating a misconfiguration in routing or network security rules.
- Check Route Tables: Ensure that the route table associated with your subnets has a default route (0.0.0.0/0) pointing to the Azure Firewall's private IP address.
- Verify Network Security Groups (NSGs): While Azure Firewall handles many filtering tasks, NSGs on the Azure Firewall's subnet and peered subnets can still block traffic. Review NSG rules to ensure they allow necessary inbound and outbound traffic to/from the firewall.
- Firewall Policy Rules: Confirm that your Azure Firewall policy has explicit rules allowing the desired traffic (both Network and Application rules).
- Source/Destination IP Addresses: Double-check that the source and destination IP addresses in your traffic logs and firewall rules match correctly.
2. Azure Firewall Threat Intelligence-Based Filtering Not Working
This feature helps block outbound traffic to known malicious IP addresses, URLs, and FQDNs.
- Enable Threat Intelligence: Ensure that the threat intelligence filtering mode is enabled in your Azure Firewall policy (e.g., 'Deny', 'Alert', or 'Divert').
- Update Threat Intelligence Feeds: Microsoft automatically updates threat intelligence feeds. If you suspect an outdated feed, consider contacting Azure support.
- Check for Overrides: Ensure there are no explicit rules in your firewall policy that allow traffic to destinations that should be blocked by threat intelligence.
3. Application Rule Issues
Application rules allow you to filter HTTP and HTTPS traffic based on FQDNs.
- FQDN Tags: Use built-in FQDN tags for common Microsoft services where appropriate.
- Wildcard Usage: When using wildcards (e.g., *.example.com), ensure they are correctly formatted.
- Protocol and Port: Verify that the protocol (HTTP/HTTPS) and port are correctly specified in the application rule.
- TLS Inspection: If TLS inspection is enabled, ensure the certificate chain is correctly configured and trusted by the clients accessing the resources.
4. Connectivity to On-Premises Resources via Hub-Spoke Model
Troubleshooting connectivity between spokes and on-premises networks through Azure Firewall.
- VNet Peering: Ensure VNet peering between spokes and the hub VNet is configured correctly with 'Allow Gateway Transit' and 'Use Remote Gateway' enabled on the spoke VNet peering.
- VPN/ExpressRoute Gateway: Verify the VPN or ExpressRoute gateway in the hub VNet is functioning correctly and has established connections.
- On-Premises Firewall: Ensure your on-premises firewall allows traffic to and from the Azure Firewall's public IP address.
5. High CPU Utilization on Azure Firewall
This can indicate excessive traffic or complex rule sets.
- Analyze Firewall Logs: Use Azure Monitor and Azure Firewall logs to identify the sources and types of traffic causing high utilization.
- Optimize Rule Sets: Review and consolidate your firewall rules. Redundant or overly broad rules can impact performance.
- Scale Up: If the workload legitimately requires more capacity, consider scaling up your Azure Firewall SKU (e.g., Standard to Premium).
- Traffic Shaping: Implement traffic shaping policies if certain types of traffic are overwhelming the firewall.
Diagnostic Tools
Azure Firewall provides several built-in diagnostic tools to help you identify and resolve issues:
- Azure Monitor: Collect and analyze metrics and logs for Azure Firewall. Key metrics include network traffic, connection counts, and threat intelligence hits.
- Azure Firewall Diagnostic Logs: The following log categories are particularly useful:
AzureFirewallNetworkRule: Logs network rule processing.AzureFirewallApplicationRule: Logs application rule processing.AzureFirewallThreatIntel: Logs threat intelligence hits.AzureFirewallPolicySignature: Logs signature-based intrusion detection events (Premium SKU).AzureFirewallPolicyDns: Logs DNS proxy activity.
- Packet Capture: Use packet capture on the Azure Firewall's management or data plane NIC to inspect traffic directly.
- Connection Troubleshoot (Azure Network Watcher): While not directly on the firewall, this tool can help diagnose connectivity issues between two endpoints within Azure, which can indirectly point to firewall problems.
Best Practices for Troubleshooting
To streamline troubleshooting:
- Enable Logging Early: Ensure Azure Firewall diagnostic logs are configured to be sent to a Log Analytics workspace, Event Hubs, or a storage account from the moment of deployment.
- Use Tagging: Tag your firewall rules and resources logically to make them easier to identify in logs.
- Document Your Configuration: Maintain clear documentation of your network topology, routing, and firewall rules.
- Test Changes Incrementally: When making changes to rules or configurations, test them one by one to isolate potential issues.
For advanced troubleshooting, including TLS inspection and Signature-based Intrusion Detection (Premium SKU), refer to the official Azure Firewall documentation for specific guidance.