Monitoring Azure Firewall

Azure Firewall is a cloud-native and intelligent network security service that protects your virtual network resources. Effective monitoring is crucial to understand traffic patterns, identify threats, and ensure the firewall is operating as expected. This tutorial will guide you through the essential monitoring capabilities of Azure Firewall.

Key Monitoring Tools and Concepts

Azure Monitor: The primary service for collecting and analyzing telemetry from your Azure resources.
Azure Firewall Logs: Network rule logs, application rule logs, and threat intelligence logs provide granular details about traffic denied or allowed by the firewall.
Metrics: High-level performance indicators that help you track the health and activity of your firewall.
Alerts: Proactive notifications based on specific metric thresholds or log events.

Accessing Azure Firewall Logs

To start monitoring, you need to enable diagnostics settings for your Azure Firewall. This involves sending logs to a Log Analytics workspace, Azure Storage, or an Event Hub.

Enabling Diagnostics Settings:

Navigate to your Azure Firewall resource in the Azure portal.
Under the Monitoring section, select Diagnostic settings.
Click Add diagnostic setting.
Select the log categories you want to collect (e.g., AzureFirewallNetworkRule, AzureFirewallApplicationRule, AzureFirewallThreatIntel).


                    Choose a destination for your logs (e.g., send to a Log Analytics workspace).
                    Click Save.



                Analyzing Firewall Logs with Log Analytics
                Once logs are sent to a Log Analytics workspace, you can use Kusto Query Language (KQL) to query and analyze them.

                Common KQL Queries:
                Network Rule Logs:
                AzureFirewallNetworkRule
| where FirewallAction == "Deny"
| summarize count() by Protocol, DestinationPort, SourceIP, DestinationIP
| order by count_ desc

                Application Rule Logs:
                AzureFirewallApplicationRule
| where RuleCollectionAction_Type == "Deny"
| summarize count() by FQDN, SourceIP
| order by count_ desc

                Threat Intelligence Logs:
                AzureFirewallThreatIntel
| where Action == "Block"
| summarize count() by RemoteIP, ThreatDescription
| order by count_ desc

                
                    Important
                    Regularly review these logs to identify any unexpected traffic patterns or potential security incidents. Customize queries to focus on specific IP addresses, ports, or FQDNs relevant to your environment.
                

                Leveraging Azure Monitor Metrics
                Azure Monitor provides key metrics for your firewall, offering a quick overview of its performance.

                Key Firewall Metrics:
                
                    Packets In/Out: Total packets processed by the firewall.
                    Bytes In/Out: Total data volume processed.
                    SNAT Connections: Number of Source Network Address Translation connections.
                    DNAT Connections: Number of Destination Network Address Translation connections.
                    Firewall Capacity: Indicates how close the firewall is to its processing limits.
                

                You can view these metrics on the Overview page of your Azure Firewall resource or by going to Metrics under the Monitoring section.

                
                    Pro Tip
                    Pin important firewall metrics to your Azure Dashboard for at-a-glance monitoring.
                

                Setting Up Azure Firewall Alerts
                Alerts notify you when specific conditions are met, enabling proactive response to issues.

                Example Alert Rule: High Volume of Denied Network Traffic
                
                    Navigate to Alerts under the Monitoring section of your Azure Firewall.
                    Click Create alert rule.
                    Select the appropriate scope (your Azure Firewall).
                    Under Condition, choose Log as the signal type.
                    Enter the KQL query to detect a high volume of denied network rule actions.
                    Configure the threshold (e.g., alert if the count of denied rules exceeds 100 in 5 minutes).
                    Define an Action Group to specify how you want to be notified (e.g., email, SMS, webhook).
                    Name your alert rule and save it.
                

                You can create similar alerts for application rule denials, threat intelligence blocks, or significant changes in key metrics like packet throughput.

                Conclusion
                Monitoring Azure Firewall effectively involves a combination of log analysis, metric observation, and proactive alerting. By utilizing Azure Monitor and Log Analytics, you can gain deep insights into your network traffic, ensure security policies are enforced, and maintain the availability of your network resources.