Open in app

Sign in

Write

Sign in

Managing Azure Firewall reporting

Tzahi Kolber
6 min readApr 14, 2022

Azure firewall is commonly used in many Azure deployments all over. One of the great Azure capabilities are the logging options for almost every component which is configured withing the Azure environment.
In this blog I will review first the Azure firewall logging configuration and afterwards, different KQL queries which can be very useful on a daily use.

Monitor logs using Azure Firewall Workbook

In case the pre-made graphs and statists are enough for you, you can use the Azure Firewall workbook, which gives you rich visual reports within the Azure portal.
Here are few examples:

In case you need more accurate and specific reports and charts, you can proceed to the rest of the blog :-)

Azure Firewall Logging

To start the collecting the firewall logging, we need first to set the diagnostics logs on the firewall.

  1. Select the firewall and click o Diagnostics settings:

2. Click on +Add diagnostics settings

3. Now type the Diagnostic setting name, select the alloLogs, AllMatrics options and select the Log Analytics workspace which will keep the logs.
After everything was completed, hit Save:

  • To achieve the same result via scripts, you can use one of the 2 options:

Powershell:
$fwpath = (Get-AzFirewall -ResourceGroupName ms).id

$loganapath = ( Get-AzOperationalInsightsWorkspace -ResourceGroupName ms).ResourceId

Set-AzDiagnosticSetting -Name FWLogs -ResourceId $fwpath -WorkspaceId $loganapath -Category “AzureFirewallApplicationRule”, “AzureFirewallNetworkrule”, “AzureFirewallDnsProxy” -MetricCategory allMetrics -Enabled:$true

CLI:
az monitor diagnostic-settings create -n ‘FWLogs’

— resource ‘/subscriptions/<Subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.Network/azureFirewalls/<Firewall name>’

— workspace ‘/subscriptions/<Subscription>/resourceGroups/<resourcegroup>/providers/microsoft.operationalinsights/workspaces/<workspace name>’

— logs ‘[{\”category\”:\”AzureFirewallApplicationRule\”,\”Enabled\”:true}, {\”category\”:\”AzureFirewallNetworkRule\”,\”Enabled\”:true}, {\”category\”:\”AzureFirewallDnsProxy\”,\”Enabled\”:true}]’

— metrics ‘[{\”category\”: \”AllMetrics\”,\”enabled\”: true}]’

Gathering the data for the reports & charts

After we have collected the firewall logging, we can gather the data from the logs, to manage the reports and charts according to our needs.

  1. Navigate to the Azure firewall and click on Logs:

2. Select the Application rule Log data and click on Run:

3. Now we can see a detailed log with multiple rows with all the information which was parsed from the logs.
The issue as you can see, is that the Rules related rows, are not updated with the right information and the rules names:

  • We would get the same result by the way, for the Network rule Log data:

To overcome this issue, we will take few steps, which describes at the following link: Azure Firewall preview features | Microsoft Docs

4. Connect your AZ module from PowerShell and connect your subscription. After you have your connection established, run the following commands:

Register-AzProviderFeature -FeatureName AFWEnableNetworkRuleNameLogging -ProviderNamespace Microsoft.Network

Register-AzProviderFeature -FeatureName AFWEnableAccelnet -ProviderNamespace Microsoft.Network

Register-AzResourceProvider -ProviderNamespace Microsoft.Network

5. To verify that the process was completed and the components are registered successfully, you will have to wait a few minutes.
After a few minutes, run the following command:

Get-AzProviderFeature -ProviderNamespace Microsoft.Network | ft FeatureName,RegistrationState

6. The network Rules updates updated with the feature within several days! To reduce the updating time and to make the changes to take effect as quickly as possible, we have to stop and start the firewall, which might take a few minutes.

  • Before stopping and starting the firewall, schedule a maintenance window, so the changes will not affect the users!

7. Stopping and starting the firewall:

# Stopping an existing firewall (replace the firewall name and resource group name):

$azfw = Get-AzFirewall -Name “we-hub-fw” -ResourceGroupName “we-hub-rg”

$azfw.Deallocate()

Set-AzFirewall -AzureFirewall $azfw

# Starting an existing firewall (replace the firewall name and resource group name):

$azfw = Get-AzFirewall -Name “we-hub-fw” -ResourceGroupName “ms”

$vnet = Get-AzVirtualNetwork -ResourceGroupName “ms” -Name “we-hub-vnet”

$pip= Get-AzPublicIpAddress -ResourceGroupName “ms” -Name “we-hub-fw-pip”

$azfw.Allocate($vnet, $pip)

$azfw | Set-AzFirewall

Creating the reports & charts

Now when we have fixed the rules presentation issues, we can run the reports and charts, based on Rules, IPs, Ports and actually, any data based on our collected logs from the firewall stored in the log analytics workspace!

  • All the queries presented here in the examples, can be found at the end of the blog, in a word document that can be downloaded.
  1. The first query and chart will be based on the total hits by rule based on the firewall Network logs:

2. The second query and chart will be based on the total hits by rule based on the firewall Application logs:

3. The third query and chart will be based on the total hits by IP address based on the firewall Application logs:

4. The fourth and last query and chart will be based on the total deny counts for IP addresses, based on the firewall Network logs:

Example queries

You can download the word document with the queries in the examples above:

AzureFirewallLogsQueries.docx

Store photos and docs online. Access them from any PC, Mac or phone. Create and work together on Word, Excel or…

1drv.ms

--

--

Tzahi Kolber

Written by Tzahi Kolber

92 Followers

During the last 15 years, I was working as a Senior PFE within Exchange area at Microsoft. Now I’m Senior Consult as Azure IAAS, PowerShell & Automations.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams