Organizations can rely on Microsoft Azure Firewall, a cloud-based security solution, to safeguard their data and control network traffic. This powerful tool utilizes various techniques to prevent attacks, including intrusion detection and prevention systems and malware protection. Azure Firewall, businesses can easily manage traffic between different clouds and on-premises networks and between other regions and subnets within a cloud. With precise control over inbound and outbound traffic, organizations can rest assured that they are protected against cybersecurity threats. To learn more about Azure firewall, Please visit my previous blog article.
This informative piece delves into the world of Azure Firewall logs and policy analytics.
Structured logs are a specific type of log data that adhere to a predetermined format and offer a streamlined approach to managing and analyzing information. With a predefined schema, structured logs make it easy to search, filter, and assess data. Azure Firewall’s structured logs provide a comprehensive overview of firewall events, including crucial details such as source and destination IP addresses, protocols, port numbers, and firewall actions. Additionally, the logs include proper metadata like the time of the event and the name of the Azure Firewall instance.
Structured firewall logs are required for policy analytics, allowing us to use resource-specific tables instead of standard Azure Diagnostics tables. This new method helps us with better log querying and is recommended. Resource-specific mode creates a separate table for each diagnostic setting category in the selected workspace.
The new log categories that are included in structured firewall logs are :
- Network rule log
- NAT rule log
- Application rule log
- Threat intelligence log
- IDPS log
- DNS proxy log
- Internal FQDN resolve failure log
- Application rule aggregation log
- Network rule aggregation log
- NAT rule aggregation log
- Flow trace
- Top flow log
Configuration: To activate Azure Firewall structured logs, the initial step involves setting up a Log Analytics workspace within your Azure subscription. This workspace is the storage location for all structured records Azure Firewall generates. Once the Log Analytics workspace is configured, you can enable structured logs in Azure Firewall by accessing the Diagnostic settings page in the Azure portal. Here, you must choose the Resource specific destination table and specify the particular type of events you wish to log.
Azure has recently unveiled its latest offering, Firewall Policy Analytics, which is tailored to aid IT teams in efficiently managing their Azure Firewall regulations over time. This cutting-edge feature offers actionable insights and recommendations that can bolster the optimization of Azure Firewall rules, thereby elevating security measures. With its ability to provide clear visibility into traffic flow across the Azure Firewall, Policy Analytics is a valuable tool that aids IT teams in handling a multitude of firewall management challenges.
The key capabilities available in the Azure Policy Analytics:
🔘 Policy insight panel: This collects policy insights and provides recommendations for enhancing Azure Firewall policies.
🔘 Rule analytics: The shows traffic flows that match DNAT, network, and app rules, providing better visibility and allowing for rule analysis across parent and child policies.
🔘 Single-rule analysis: The single-rule analysis experience examines traffic flows that match a selected rule and suggests optimizations based on the observed traffic flows.
🔘 Firewall flow logs: Lays out all the traffic passing through Azure Firewall, including hit rate, network, and application rule matches. This view assists in identifying top flows across all rules, and you can filter flows that match specific sources, destinations, ports, and protocols.
To configure the Azure Firewall policy analytics, perform the following steps:
- Select the Azure Firewall Manager and select Azure Firewall policies.
- Click on the policy you have created.
- Select Policy Analytics in the table of contents.
- Next, select Configure Workspaces.
- In the pane that opens, select the Enable Policy Analytics checkbox.
- Next, choose a log analytics workspace. The log analytics workspace should be the same as the Firewall attached to the policy.
- Select Save after you choose the log analytics workspace.
Pricing: The Azure firewall policy analytics feature incurs a cost. However, the number of firewalls attached to the policy does not affect the pricing for Policy Analytics. Billing for Policy Analytics is done hourly and only for the number of hours used.
I hope you found the Azure Firewall policy analytics feature helpful for your learning.
Santhosh has over 15 years of experience in the IT organization. Working as a Cloud Infrastructure Architect and has a wide range of expertise in Microsoft technologies, with a specialization in public & private cloud services for enterprise customers. My varied background includes work in cloud computing, virtualization, storage, networks, automation and DevOps.