Azure Firewall Monitoring

Table of Contents Overview Prerequisites Enable Diagnostic Logging Azure Monitor Metrics Log Analytics Queries Creating Alerts Automation with PowerShell/CLI FAQ Related Articles

Overview

This tutorial walks you through monitoring Azure Firewall using Azure Monitor, Log Analytics, and Azure Alerts. You'll learn how to enable diagnostic settings, visualize key metrics, query logs, and set up automated notifications.

Prerequisites

Active Azure subscription
Azure Firewall deployed
Log Analytics workspace created
Role: Network Contributor or higher

Enable Diagnostic Logging

Navigate to your Azure Firewall resource and configure diagnostic settings.

Open Azure Portal → Firewall → Diagnostic settings.
Click Add diagnostic setting.
Name the setting, select Log Analytics workspace, and enable the following logs:
- AzureFirewallNetworkRuleLog
- AzureFirewallApplicationRuleLog
- AzureFirewallDnsProxyLog
Enable Metrics for AllMetrics.
Click Save.

Azure Monitor Metrics

Key metrics you can monitor:

Metric	Description
SNAT connections	Number of active SNAT connections
Dropped packets	Packets dropped by firewall policies
Allowed packets	Packets allowed by firewall rules
CPU usage	CPU consumption of the firewall

To view metrics, open Azure Monitor → Metrics, select your firewall, and add the metrics above to a chart.

Log Analytics Queries

Run these queries in Log Analytics to extract actionable insights.

1. Top 10 source IPs hitting the firewall

AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize Count = count() by SourceIP = tostring(split(ClientIP_s, ':')[0])
| top 10 by Count desc

2. Denied traffic over the last 24h

AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Action_s == "Deny"
| where TimeGenerated > ago(24h)
| summarize Count = count() by DestinationPort = DestinationPort_s, DestinationIP = DestinationIP_s
| top 20 by Count desc

3. DNS queries logged by the firewall

AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxyLog"
| summarize Queries=count() by DNSQuery = DnsQuery_s, ClientIP = ClientIP_s
| top 15 by Queries desc

Creating Alerts

Set up alerts for critical events.

In Azure Monitor, choose Alerts → New alert rule.
Select your Azure Firewall as the target resource.
Add a condition:
- Signal type: Metric
- Metric: Dropped packets
- Threshold: > 1000 packets per 5 minutes
Define an action group (email, webhook, etc.).
Save the rule.

Automation with PowerShell / Azure CLI

PowerShell: Retrieve firewall metrics

Install-Module -Name Az -Scope CurrentUser -Force
Connect-AzAccount
$fwName = "myAzureFirewall"
$rg = "myResourceGroup"
Get-AzMetric -ResourceId (Get-AzFirewall -Name $fwName -ResourceGroupName $rg).Id `
    -MetricName "SNATConnections" -TimeGrain 00:05:00 -StartTime (Get-Date).AddHours(-1) `
    -EndTime (Get-Date) | Format-Table Timestamp, Average

Azure CLI: Enable diagnostic logs

az login
FW_NAME="myAzureFirewall"
RG="myResourceGroup"
LAW="myLogAnalyticsWorkspace"
az monitor diagnostic-settings create \
  --name "AzureFirewallDiag" \
  --resource "/subscriptions/$(az account show --query id -o tsv)/resourceGroups/$RG/providers/Microsoft.Network/azureFirewalls/$FW_NAME" \
  --workspace $LAW \
  --logs '[{"category":"AzureFirewallNetworkRuleLog","enabled":true},{"category":"AzureFirewallApplicationRuleLog","enabled":true},{"category":"AzureFirewallDnsProxyLog","enabled":true}]' \
  --metrics '[{"category":"AllMetrics","enabled":true}]'

FAQ

How long are logs retained?: Retention is set in the Log Analytics workspace. Default is 30 days; you can increase up to 730 days.
Can I send firewall logs to Event Hub?: Yes. Add an Event Hub destination when creating a diagnostic setting.
Do metrics incur extra cost?: Metrics are free for standard tier Azure Firewall. Custom metrics may incur charges.